Function bodies 163 total

    public Page<AuditLog> getLogs(int page, int size) {
        return auditLogRepository.findByOrderByCreatedDateDesc(PageRequest.of(page, size));
    }

    public Page<AuditLog> getLogsByAction(String action, int page, int size) {
        return auditLogRepository.findByActionOrderByCreatedDateDesc(action, PageRequest.of(page, size));
    }

    public Page<AuditLog> getLogsByUser(String userId, int page, int size) {
        return auditLogRepository.findByUserIdOrderByCreatedDateDesc(userId, PageRequest.of(page, size));
    }

    private String getClientIp(HttpServletRequest request) {
        if (request == null) return "system";
        String xff = request.getHeader("X-Forwarded-For");
        if (xff != null && !xff.isEmpty()) {
            return xff.split(",")[0].trim();
        }
        return request.getRemoteAddr();
    }

public class AuthService {

    private static final Logger log = LoggerFactory.getLogger(AuthService.class);

    @Autowired
    private AdminUserRepository userRepository;

    @Autowired
    private AdminPermissionRepository permissionRepository;

    @Autowired
    private PasswordEncoder passwordEncoder;

    @Autowired
    private JwtTokenProvider tokenProvider;

    @Autowired
    private EmailDomainValidator emailDomainValidator;

    @Value("${admin.security.max-failed-attempts:5}")
    private int maxFailedAttempts;

    @Value("${admin.security.lockout-duration-minutes:30}")
    private int lockoutDurationMinutes;

    @Transactional
    public LoginResponse login(LoginRequest request) {
        String email = request.getEmail().toLowerCase().trim();

        // Gate 1: Email domain check — before anything else
        if (!emailDomainValidator.isEmailAllowed(email)) {
            log.warn("Login rejected — unauthorized email domain: {}", email);
            throw new Securi

    public LoginResponse login(LoginRequest request) {
        String email = request.getEmail().toLowerCase().trim();

        // Gate 1: Email domain check — before anything else
        if (!emailDomainValidator.isEmailAllowed(email)) {
            log.warn("Login rejected — unauthorized email domain: {}", email);
            throw new SecurityException("Unauthorized email domain. Only @" +
                    emailDomainValidator.getAllowedDomainsSummary() + " addresses are allowed.");
        }

        // Find user by email
        AdminUser user = userRepository.findByEmail(email)
                .orElseThrow(() -> {
                    log.warn("Login attempt with unknown email: {}", email);
                    return new IllegalArgumentException("Invalid email or password");
                });

        // Gate 2: Account active check
        if (!Boolean.TRUE.equals(user.getIsActive())) {
            log.warn("Login attempt for disabled account: {}", email);
            throw

    public LoginResponse getCurrentUser(String userId) {
        AdminUser user = userRepository.findById(userId)
                .orElseThrow(() -> new IllegalArgumentException("User not found: " + userId));

        List<String> permissionCodes = loadPermissionCodes(user.getRoleId());

        String roleName = user.getRole() != null ? user.getRole().getRoleLabel() : null;
        if (roleName == null && user.getRole() != null) {
            roleName = user.getRole().getRoleName();
        }

        return new LoginResponse(
                null,
                user.getUserId(),
                user.getUsername(),
                user.getEmail(),
                user.getFirstName(),
                user.getLastName(),
                roleName,
                permissionCodes,
                Boolean.TRUE.equals(user.getMustChangePassword())
        );
    }

    public void changePassword(String userId, ChangePasswordRequest request) {
        AdminUser user = userRepository.findById(userId)
                .orElseThrow(() -> new IllegalArgumentException("User not found"));

        if (!passwordEncoder.matches(request.getCurrentPassword(), user.getPasswordHash())) {
            throw new IllegalArgumentException("Current password is incorrect");
        }

        user.setPasswordHash(passwordEncoder.encode(request.getNewPassword()));
        user.setMustChangePassword(false);
        user.setModifiedBy(userId);
        user.setModifiedDate(new Timestamp(System.currentTimeMillis()));
        userRepository.save(user);

        log.info("Password changed for user {}", user.getEmail());
    }

    private void handleFailedAttempt(AdminUser user) {
        int attempts = (user.getFailedAttempts() != null ? user.getFailedAttempts() : 0) + 1;
        user.setFailedAttempts(attempts);

        if (attempts >= maxFailedAttempts) {
            long lockoutMs = lockoutDurationMinutes * 60_000L;
            user.setLockedUntil(new Timestamp(System.currentTimeMillis() + lockoutMs));
            log.warn("Account locked after {} failed attempts: {}", attempts, user.getEmail());
        }

        userRepository.save(user);
        log.warn("Failed login attempt {} of {} for: {}", attempts, maxFailedAttempts, user.getEmail());
    }

    private List<String> loadPermissionCodes(String roleId) {
        if (roleId == null) {
            return List.of();
        }
        return permissionRepository.findByRoleId(roleId).stream()
                .map(AdminPermission::getCode)
                .collect(Collectors.toList());
    }

public class ConfigService {

    private static final Logger log = LoggerFactory.getLogger(ConfigService.class);

    @Autowired
    private PlatformConfigRepository configRepository;

    @Transactional(readOnly = true)
    public List<PlatformConfig> getAllConfig() {
        List<PlatformConfig> configs = configRepository.findAll();
        // Mask secret values
        configs.forEach(c -> {
            if (Boolean.TRUE.equals(c.getIsSecret())) {
                c.setConfigValue("********");
            }
        });
        return configs;
    }

    @Transactional(readOnly = true)
    public List<PlatformConfig> getConfigByCategory(String category) {
        List<PlatformConfig> configs = configRepository.findByCategoryOrderByConfigKeyAsc(category);
        configs.forEach(c -> {
            if (Boolean.TRUE.equals(c.getIsSecret())) {
                c.setConfigValue("********");
            }
        });
        return configs;
    }

    @Transactional
    public void updateCon

    public List<PlatformConfig> getAllConfig() {
        List<PlatformConfig> configs = configRepository.findAll();
        // Mask secret values
        configs.forEach(c -> {
            if (Boolean.TRUE.equals(c.getIsSecret())) {
                c.setConfigValue("********");
            }
        });
        return configs;
    }

    public List<PlatformConfig> getConfigByCategory(String category) {
        List<PlatformConfig> configs = configRepository.findByCategoryOrderByConfigKeyAsc(category);
        configs.forEach(c -> {
            if (Boolean.TRUE.equals(c.getIsSecret())) {
                c.setConfigValue("********");
            }
        });
        return configs;
    }

    public void updateConfig(Map<String, String> updates, String modifiedBy) {
        for (Map.Entry<String, String> entry : updates.entrySet()) {
            PlatformConfig config = configRepository.findById(entry.getKey()).orElse(null);
            if (config != null) {
                config.setConfigValue(entry.getValue());
                config.setModifiedBy(modifiedBy);
                config.setModifiedDate(new Timestamp(System.currentTimeMillis()));
                configRepository.save(config);
                log.info("Config updated: {} by {}", entry.getKey(), modifiedBy);
            }
        }
    }

    public String getConfigValue(String key) {
        return configRepository.findById(key)
                .map(PlatformConfig::getConfigValue)
                .orElse(null);
    }

public class DashboardService {

    @Autowired
    private PlatformTenantRepository tenantRepository;

    @Autowired
    private TenantModuleRepository moduleRepository;

    @Autowired
    private AdminUserRepository userRepository;

    @Autowired
    private AuditLogRepository auditLogRepository;

    @Autowired
    private OperationsProvisioningService operationsProvisioning;

    @Transactional(readOnly = true)
    public Map<String, Object> getOverview() {
        Map<String, Object> overview = new LinkedHashMap<>();

        // Tenant stats
        overview.put("totalTenants", tenantRepository.count());
        overview.put("activeTenants", tenantRepository.countActive());
        overview.put("inactiveTenants", tenantRepository.countByStatus("Inactive"));

        // Module stats
        overview.put("totalLicenses", moduleRepository.countAllEnabled());
        overview.put("operationsLicenses", moduleRepository.countEnabledByModule("Operations"));
        overview.put("revie

    public Map<String, Object> getOverview() {
        Map<String, Object> overview = new LinkedHashMap<>();

        // Tenant stats
        overview.put("totalTenants", tenantRepository.count());
        overview.put("activeTenants", tenantRepository.countActive());
        overview.put("inactiveTenants", tenantRepository.countByStatus("Inactive"));

        // Module stats
        overview.put("totalLicenses", moduleRepository.countAllEnabled());
        overview.put("operationsLicenses", moduleRepository.countEnabledByModule("Operations"));
        overview.put("reviewerLicenses", moduleRepository.countEnabledByModule("Reviewer"));
        overview.put("publisherLicenses", moduleRepository.countEnabledByModule("Publisher"));
        overview.put("edmsLicenses", moduleRepository.countEnabledByModule("EDMS"));
        overview.put("plannerLicenses", moduleRepository.countEnabledByModule("Planner"));

        // Admin user stats
        overview.put("totalAdminUsers", userRepository.c

    public Map<String, Object> getPlatformHealth() {
        Map<String, Object> health = new LinkedHashMap<>();

        // Service status checks
        List<Map<String, Object>> services = new ArrayList<>();

        services.add(buildServiceStatus("Operations", operationsProvisioning.isOperationsAvailable(), "8102"));
        // Future: add Reviewer, Publisher, EDMS, Planner health checks here

        health.put("services", services);

        // License summary
        Map<String, Object> licenseSummary = new LinkedHashMap<>();
        for (String mod : List.of("Operations", "Reviewer", "Publisher", "EDMS", "Planner")) {
            licenseSummary.put(mod, Map.of(
                    "enabledCount", moduleRepository.countEnabledByModule(mod)
            ));
        }
        health.put("licenseSummary", licenseSummary);

        // Tenant summary
        health.put("activeTenants", tenantRepository.countActive());
        health.put("totalTenants", tenantRepository.count());

   

    private Map<String, Object> buildServiceStatus(String name, boolean isUp, String port) {
        Map<String, Object> svc = new LinkedHashMap<>();
        svc.put("name", name);
        svc.put("status", isUp ? "UP" : "DOWN");
        svc.put("port", port);
        return svc;
    }

public class EmailDomainValidator {

    private static final Logger log = LoggerFactory.getLogger(EmailDomainValidator.class);

    @Value("${admin.security.allowed-email-domains:dnxtsolutions.com}")
    private String envAllowedDomains;

    @Autowired
    private PlatformConfigRepository configRepository;

    public boolean isEmailAllowed(String email) {
        if (email == null || !email.contains("@")) {
            return false;
        }

        String domain = email.substring(email.indexOf("@") + 1).toLowerCase().trim();
        String normalizedEmail = email.toLowerCase().trim();

        // Layer 1: env var / application.properties
        Set<String> envDomains = parseCsv(envAllowedDomains);
        if (envDomains.contains(domain)) {
            return true;
        }

        // Layer 2: database config — allowed domains
        String dbDomains = getConfigValue("security.allowed_email_domains");
        if (dbDomains != null && parseCsv(dbDomains).contains(domain)) {
   

    public boolean isEmailAllowed(String email) {
        if (email == null || !email.contains("@")) {
            return false;
        }

        String domain = email.substring(email.indexOf("@") + 1).toLowerCase().trim();
        String normalizedEmail = email.toLowerCase().trim();

        // Layer 1: env var / application.properties
        Set<String> envDomains = parseCsv(envAllowedDomains);
        if (envDomains.contains(domain)) {
            return true;
        }

        // Layer 2: database config — allowed domains
        String dbDomains = getConfigValue("security.allowed_email_domains");
        if (dbDomains != null && parseCsv(dbDomains).contains(domain)) {
            return true;
        }

        // Layer 2: database config — individual email exceptions
        String dbEmails = getConfigValue("security.allowed_emails");
        if (dbEmails != null && parseCsv(dbEmails).contains(normalizedEmail)) {
            return true;
        }

        log.warn("Email dom

    public String getAllowedDomainsSummary() {
        Set<String> domains = parseCsv(envAllowedDomains);
        String dbDomains = getConfigValue("security.allowed_email_domains");
        if (dbDomains != null) {
            domains.addAll(parseCsv(dbDomains));
        }
        return String.join(", ", domains);
    }

    private Set<String> parseCsv(String csv) {
        if (csv == null || csv.isBlank()) {
            return Set.of();
        }
        return Arrays.stream(csv.split(","))
                .map(s -> s.trim().toLowerCase())
                .filter(s -> !s.isEmpty())
                .collect(Collectors.toSet());
    }

    private String getConfigValue(String key) {
        return configRepository.findById(key)
                .map(PlatformConfig::getConfigValue)
                .orElse(null);
    }

public class FeatureService {

    private static final Logger log = LoggerFactory.getLogger(FeatureService.class);
    private static final ObjectMapper mapper = new ObjectMapper();

    @Autowired
    private TenantModuleRepository moduleRepository;

    @Autowired
    private ModulePlanRepository planRepository;

    /**
     * Get the final enabled features for a tenant's module.
     * Returns ALL features if no plan is assigned (backward compat).
     */
    public List<String> getEnabledFeatures(String tenantId, String moduleName) {
        TenantModule tenantModule = moduleRepository.findByTenantIdAndModuleName(tenantId, moduleName)
                .orElse(null);

        if (tenantModule == null || !Boolean.TRUE.equals(tenantModule.getIsEnabled())) {
            return List.of();
        }

        // If no plan assigned, return all features (backward compat / Enterprise default)
        if (tenantModule.getPlanId() == null) {
            return getAllFeaturesForModule(moduleN

    public List<String> getEnabledFeatures(String tenantId, String moduleName) {
        TenantModule tenantModule = moduleRepository.findByTenantIdAndModuleName(tenantId, moduleName)
                .orElse(null);

        if (tenantModule == null || !Boolean.TRUE.equals(tenantModule.getIsEnabled())) {
            return List.of();
        }

        // If no plan assigned, return all features (backward compat / Enterprise default)
        if (tenantModule.getPlanId() == null) {
            return getAllFeaturesForModule(moduleName);
        }

        // Load plan features
        ModulePlan plan = planRepository.findById(tenantModule.getPlanId()).orElse(null);
        if (plan == null) {
            log.warn("Plan not found: {} for tenant module {}:{}", tenantModule.getPlanId(), tenantId, moduleName);
            return getAllFeaturesForModule(moduleName);
        }

        Set<String> features = new LinkedHashSet<>(parseJsonArray(plan.getFeatures()));

        // Apply overrides
 

    public List<String> getAllFeaturesForModule(String moduleName) {
        // Find the plan with the most features (Enterprise)
        List<ModulePlan> plans = planRepository.findByModuleNameAndIsActiveTrueOrderBySortOrderAsc(moduleName);
        if (!plans.isEmpty()) {
            ModulePlan enterprise = plans.get(plans.size() - 1); // Last = highest tier
            return parseJsonArray(enterprise.getFeatures());
        }

        // Hardcoded fallback for Operations
        if ("Operations".equals(moduleName)) {
            return List.of("dashboard", "timesheets", "employees", "customers", "revenue", "pnl",
                    "banking", "payroll", "consulting", "invoices", "reports",
                    "object-manager", "workflows", "user-management", "settings");
        }

        return List.of();
    }

    private List<String> parseJsonArray(String json) {
        try {
            return mapper.readValue(json, new TypeReference<>() {});
        } catch (Exception e) {
            log.warn("Failed to parse feature JSON: {}", e.getMessage());
            return List.of();
        }
    }

public class GoogleAuthService {

    private static final Logger log = LoggerFactory.getLogger(GoogleAuthService.class);

    @Value("${admin.google.client-id:}")
    private String googleClientId;

    @Value("${admin.google.client-secret:}")
    private String googleClientSecret;

    @Value("${admin.google.redirect-uri:}")
    private String googleRedirectUri;

    @Autowired
    private AdminUserRepository userRepository;

    @Autowired
    private AdminRoleRepository roleRepository;

    @Autowired
    private AdminPermissionRepository permissionRepository;

    @Autowired
    private JwtTokenProvider tokenProvider;

    @Autowired
    private EmailDomainValidator emailDomainValidator;

    /**
     * Build the Google OAuth2 authorization URL.
     * Frontend redirects the user's browser to this URL.
     */
    public String getAuthorizationUrl() {
        return "https://accounts.google.com/o/oauth2/v2/auth"
                + "?client_id=" + googleClientId
                + "&

    public String getAuthorizationUrl() {
        return "https://accounts.google.com/o/oauth2/v2/auth"
                + "?client_id=" + googleClientId
                + "&redirect_uri=" + googleRedirectUri
                + "&response_type=code"
                + "&scope=openid%20email%20profile"
                + "&access_type=offline"
                + "&prompt=consent"
                + "&hd=dnxtsolutions.com";  // Restrict to dnxtsolutions.com domain
    }

    /**
     * Exchange the authorization code for tokens, verify the ID token,
     * find or create the admin user, and return a JWT login response.
     */
    @Transactional
    public LoginResponse handleCallback(String authCode) throws Exception {
        // Exchange auth code for tokens
        GoogleTokenResponse tokenResponse = new GoogleAuthorizationCodeTokenRequest(
                new NetHttpTransport(),
                JacksonFactory.getDefaultInstance(),
                "https://oauth2.googleapis.com/token",
    

    private AdminUser createGoogleUser(String email, String googleId,
                                        String firstName, String lastName, String avatarUrl) {
        // Default role: VIEWER (safe default — Super Admin can upgrade)
        AdminRole viewerRole = roleRepository.findByRoleName("VIEWER")
                .orElseThrow(() -> new IllegalStateException("VIEWER role not found"));

        String username = email.substring(0, email.indexOf("@"));
        if (userRepository.existsByUsername(username)) {
            username = username + "-" + UUID.randomUUID().toString().substring(0, 4);
        }

        AdminUser user = new AdminUser();
        user.setUserId(UUID.randomUUID().toString());
        user.setUsername(username);
        user.setEmail(email);
        user.setPasswordHash(null);  // No local password for SSO users
        user.setFirstName(firstName);
        user.setLastName(lastName);
        user.setRoleId(viewerRole.getRoleId());
        user.setIsActive(t

    private List<String> loadPermissionCodes(String roleId) {
        if (roleId == null) return List.of();
        return permissionRepository.findByRoleId(roleId).stream()
                .map(AdminPermission::getCode)
                .collect(Collectors.toList());
    }

    public Map<String, Object> provisionTenant(PlatformTenant tenant) {
        return provisionTenant(tenant, null);
    }

    public Map<String, Object> provisionTenant(PlatformTenant tenant, java.util.List<String> enabledFeatures) {
        Map<String, Object> result = new LinkedHashMap<>();

        try {
            // Step 1: Authenticate with Operations
            String opsToken = authenticateWithOperations();
            if (opsToken == null) {
                result.put("status", "failed");
                result.put("error", "Failed to authenticate with Operations service");
                return result;
            }

            // Step 2: Create tenant in Operations
            Map<String, Object> tenantPayload = buildTenantPayload(tenant);
            if (enabledFeatures != null) {
                tenantPayload.put("enabledFeatures", enabledFeatures);
            }

            HttpHeaders headers = new HttpHeaders();
            headers.setContentType(MediaType.APPLICATION_JSON);
            headers.setBearerAuth(opsToken);

            HttpEntity<Map<String, Object>> request = new HttpEnt

    public Map<String, Object> deactivateTenant(String tenantSlug) {
        Map<String, Object> result = new LinkedHashMap<>();

        try {
            String opsToken = authenticateWithOperations();
            if (opsToken == null) {
                result.put("status", "failed");
                result.put("error", "Failed to authenticate with Operations service");
                return result;
            }

            // Find tenant by slug, then deactivate
            HttpHeaders headers = new HttpHeaders();
            headers.setBearerAuth(opsToken);

            // Get all tenants to find the one matching our slug
            ResponseEntity<Map> listResponse = restTemplate.exchange(
                    operationsUrl + "/api/settings/tenants",
                    HttpMethod.GET,
                    new HttpEntity<>(headers),
                    Map.class
            );

            if (listResponse.getStatusCode().is2xxSuccessful() && listResponse.getBody() != null) {
   

    public boolean isOperationsAvailable() {
        try {
            ResponseEntity<String> response = restTemplate.getForEntity(
                    operationsUrl + "/actuator/health", String.class);
            return response.getStatusCode().is2xxSuccessful();
        } catch (Exception e) {
            log.warn("Operations service not reachable: {}", e.getMessage());
            return false;
        }
    }

    private String authenticateWithOperations() {
        try {
            Map<String, String> loginPayload = Map.of(
                    "username", opsUsername,
                    "password", opsPassword
            );

            HttpHeaders headers = new HttpHeaders();
            headers.setContentType(MediaType.APPLICATION_JSON);

            HttpEntity<Map<String, String>> request = new HttpEntity<>(loginPayload, headers);

            ResponseEntity<Map> response = restTemplate.exchange(
                    operationsUrl + "/api/auth/login",
                    HttpMethod.POST,
                    request,
                    Map.class
            );

            if (response.getStatusCode().is2xxSuccessful() && response.getBody() != null) {
                Map body = response.getBody();
                Map data = (Map) body.get("data");
                if (data != null) {
                    return (String) data.get("token");
                }
            }

            log

    private Map<String, Object> buildTenantPayload(PlatformTenant tenant) {
        Map<String, Object> payload = new LinkedHashMap<>();
        payload.put("tenantName", tenant.getTenantName());
        payload.put("tenantSlug", tenant.getTenantSlug());
        payload.put("domain", tenant.getDomain());
        payload.put("industry", tenant.getIndustry());
        payload.put("primaryContactName", tenant.getPrimaryContactName());
        payload.put("primaryContactEmail", tenant.getPrimaryContactEmail());
        payload.put("phone", tenant.getPhone());
        payload.put("address", tenant.getAddress());
        payload.put("status", "Active");
        payload.put("licenseType", tenant.getLicenseType());
        payload.put("maxUsers", tenant.getMaxUsers());
        payload.put("notes", tenant.getNotes());
        payload.put("isActive", true);
        return payload;
    }

public class SupportAccessService {

    private static final Logger log = LoggerFactory.getLogger(SupportAccessService.class);

    @Value("${admin.operations-service.internal-url:${OPERATIONS_INTERNAL_URL:http://localhost:8102}}")
    private String opsInternalUrl;

    @Value("${admin.operations-service.internal-api-key:${OPS_INTERNAL_API_KEY:}}")
    private String opsInternalApiKey;

    @Value("${admin.base-domain:${BASE_DOMAIN:dnxtcloud.com}}")
    private String baseDomain;

    private final RestTemplate restTemplate = new RestTemplate();

    /**
     * Check if the target tenant has support access enabled.
     */
    public boolean isSupportAccessEnabled() {
        try {
            HttpHeaders headers = new HttpHeaders();
            headers.set("X-Internal-Api-Key", opsInternalApiKey);

            ResponseEntity<Map> response = restTemplate.exchange(
                    opsInternalUrl + "/api/internal/support-access-status",
                    HttpMethod.GET,
         

    public boolean isSupportAccessEnabled() {
        try {
            HttpHeaders headers = new HttpHeaders();
            headers.set("X-Internal-Api-Key", opsInternalApiKey);

            ResponseEntity<Map> response = restTemplate.exchange(
                    opsInternalUrl + "/api/internal/support-access-status",
                    HttpMethod.GET,
                    new HttpEntity<>(headers),
                    Map.class
            );

            if (response.getStatusCode().is2xxSuccessful() && response.getBody() != null) {
                Map data = (Map) response.getBody().get("data");
                return data != null && Boolean.TRUE.equals(data.get("enabled"));
            }
            return false;
        } catch (Exception e) {
            log.error("Failed to check support access status: {}", e.getMessage());
            return false;
        }
    }

    public String generateSupportCode(String requestedBy, String reason) {
        HttpHeaders headers = new HttpHeaders();
        headers.setContentType(MediaType.APPLICATION_JSON);
        headers.set("X-Internal-Api-Key", opsInternalApiKey);

        Map<String, String> body = Map.of(
                "requestedBy", requestedBy,
                "reason", reason != null ? reason : "Support access via Global Admin"
        );

        ResponseEntity<Map> response = restTemplate.exchange(
                opsInternalUrl + "/api/internal/support-token",
                HttpMethod.POST,
                new HttpEntity<>(body, headers),
                Map.class
        );

        if (response.getStatusCode().is2xxSuccessful() && response.getBody() != null) {
            Map data = (Map) response.getBody().get("data");
            if (data != null) {
                return (String) data.get("code");
            }
        }

        String errorMsg = "Unknown error";
        if (response.ge

    public String buildRedirectUrl(String tenantSlug, String code) {
        return "https://" + tenantSlug + "-operations." + baseDomain + "/support-login?code=" + code;
    }

    /**
     * Build redirect URL using ops.dnxtcloud.com (for the current single-instance setup).
     */
    public String buildRedirectUrlDirect(String code) {
        return "https://ops." + baseDomain + "/support-login?code=" + code;
    }

public class TenantService {

    private static final Logger log = LoggerFactory.getLogger(TenantService.class);

    private static final List<String> ALL_MODULES = List.of(
            "Operations", "Reviewer", "Publisher", "EDMS", "Planner", "Support", "Consulting"
    );

    @Autowired
    private PlatformTenantRepository tenantRepository;

    @Autowired
    private TenantModuleRepository moduleRepository;

    @Autowired
    private OperationsProvisioningService operationsProvisioning;

    @Autowired
    private FeatureService featureService;

    @Transactional(readOnly = true)
    public List<PlatformTenant> getAllTenants() {
        return tenantRepository.findAll();
    }

    @Transactional(readOnly = true)
    public List<PlatformTenant> getActiveTenants() {
        return tenantRepository.findByIsActiveTrue();
    }

    @Transactional(readOnly = true)
    public PlatformTenant getTenant(String tenantId) {
        return tenantRepository.findById(tenantId)
             

    public List<PlatformTenant> getAllTenants() {
        return tenantRepository.findAll();
    }

    public List<PlatformTenant> getActiveTenants() {
        return tenantRepository.findByIsActiveTrue();
    }

    public PlatformTenant getTenant(String tenantId) {
        return tenantRepository.findById(tenantId)
                .orElseThrow(() -> new IllegalArgumentException("Tenant not found: " + tenantId));
    }

    public List<TenantModule> getTenantModules(String tenantId) {
        return moduleRepository.findByTenantId(tenantId);
    }

    public PlatformTenant createTenant(TenantCreateRequest request, String createdBy) {
        String slug = slugify(request.getTenantName());
        if (tenantRepository.existsByTenantSlug(slug)) {
            throw new IllegalArgumentException("Tenant slug already exists: " + slug);
        }

        PlatformTenant tenant = new PlatformTenant();
        tenant.setTenantId(UUID.randomUUID().toString());
        tenant.setTenantName(request.getTenantName());
        tenant.setTenantSlug(slug);
        tenant.setDomain(request.getDomain());
        tenant.setIndustry(request.getIndustry());
        tenant.setPrimaryContactName(request.getPrimaryContactName());
        tenant.setPrimaryContactEmail(request.getPrimaryContactEmail());
        tenant.setPhone(request.getPhone());
        tenant.setAddress(request.getAddress());
        tenant.setStatus("Active");
        tenant.setLicenseType(request.getLicenseType());
        tenant.setLicenseExpiry(request.getLicenseExpiry() != null ? 

    public PlatformTenant updateTenant(String tenantId, TenantCreateRequest request, String modifiedBy) {
        PlatformTenant tenant = getTenant(tenantId);

        tenant.setTenantName(request.getTenantName());
        if (request.getDomain() != null) tenant.setDomain(request.getDomain());
        if (request.getIndustry() != null) tenant.setIndustry(request.getIndustry());
        tenant.setPrimaryContactName(request.getPrimaryContactName());
        tenant.setPrimaryContactEmail(request.getPrimaryContactEmail());
        if (request.getPhone() != null) tenant.setPhone(request.getPhone());
        if (request.getAddress() != null) tenant.setAddress(request.getAddress());
        if (request.getLicenseType() != null) tenant.setLicenseType(request.getLicenseType());
        if (request.getLicenseExpiry() != null) tenant.setLicenseExpiry(Date.valueOf(request.getLicenseExpiry()));
        if (request.getMaxUsers() != null) tenant.setMaxUsers(request.getMaxUsers());
        if (request

    public void deactivateTenant(String tenantId, String modifiedBy) {
        PlatformTenant tenant = getTenant(tenantId);
        tenant.setIsActive(false);
        tenant.setStatus("Inactive");
        tenant.setModifiedBy(modifiedBy);
        tenant.setModifiedDate(new Timestamp(System.currentTimeMillis()));
        tenantRepository.save(tenant);

        // Disable all modules
        List<TenantModule> modules = moduleRepository.findByTenantId(tenantId);
        for (TenantModule module : modules) {
            module.setIsEnabled(false);
            module.setModifiedBy(modifiedBy);
            module.setModifiedDate(new Timestamp(System.currentTimeMillis()));
            moduleRepository.save(module);
        }

        log.info("Deactivated tenant: {} and disabled all modules", tenant.getTenantName());
    }