from datetime import datetime from pydantic import BaseModel, Field, field_validator from shared.contracts import StaffRole class AdminRootResponse(BaseModel): service: str status: str message: str environment: str class AdminHealthResponse(BaseModel): service: str status: str version: str class AdminSystemInfoResponse(BaseModel): service: str app_name: str environment: str version: str api_prefix: str debug: bool class AdminAuthenticatedStaffResponse(BaseModel): id: int email: str display_name: str role: StaffRole is_active: bool class AdminCurrentAccessResponse(BaseModel): service: str staff_account: AdminAuthenticatedStaffResponse permissions: list[str] class AdminCapabilityResponse(BaseModel): service: str action: str allowed: bool role: StaffRole class AdminAuditEntryResponse(BaseModel): id: int actor_staff_account_id: int | None event_type: str resource_type: str resource_id: str | None outcome: str message: str | None payload_json: dict | None ip_address: str | None user_agent: str | None created_at: datetime class AdminAuditListResponse(BaseModel): service: str events: list[AdminAuditEntryResponse] class AdminLoginRequest(BaseModel): email: str password: str = Field(min_length=1) @field_validator("email") @classmethod def validate_email(cls, value: str) -> str: normalized = value.strip().lower() if "@" not in normalized or normalized.startswith("@") or normalized.endswith("@"): raise ValueError("email must be a valid administrative login") return normalized class AdminRefreshTokenRequest(BaseModel): refresh_token: str = Field(min_length=1) class AdminSessionResponse(BaseModel): session_id: int access_token: str refresh_token: str token_type: str expires_in_seconds: int staff_account: AdminAuthenticatedStaffResponse class AdminLogoutResponse(BaseModel): service: str status: str message: str session_id: int