"""
Ensure that every registered service has a corresponding admin group.

Called once at startup after register_services().  Idempotent — safe to run
on every restart, creates nothing if groups already exist.

Naming convention: "{service_id}-admin"  (e.g. "doc-service-admin")
"""
import logging

from sqlalchemy import select
from sqlalchemy.ext.asyncio import AsyncSession

from app.models.group import Group
from app.services.service_health import get_registry

logger = logging.getLogger(__name__)


async def ensure_service_admin_groups(db: AsyncSession) -> None:
    """Create a <service-id>-admin group for each registered service if absent."""
    for svc in get_registry():
        group_name = f"{svc.id}-admin"
        result = await db.execute(select(Group).where(Group.name == group_name))
        if result.scalar_one_or_none() is not None:
            continue

        import uuid
        group = Group(
            id=str(uuid.uuid4()),
            name=group_name,
            description=f"Administrators for the {svc.name} service.",
        )
        db.add(group)
        logger.info("[bootstrap] Created admin group %r for service %r", group_name, svc.id)

    await db.commit()