/**
 * Module settings registration.
 *
 * Note on `sharedSecret`: Foundry stores world-scope settings in a place
 * readable by all connected clients, not just GMs. A player with browser
 * console access can read the value. This is acceptable here because the
 * secret only authorizes pushing dnd5e actor data — which players already
 * have access to through normal play — and the Frappe side enforces all
 * other authorization. Rotate the secret if you stop trusting a player.
 */

import { MODULE_ID } from "./constants.js";

export function registerSettings() {
	game.settings.register(MODULE_ID, "frappeBaseUrl", {
		name: "Frappe Base URL",
		hint: "Base URL of your Seitime Frappe site, e.g. https://seitime.vassi.li (no trailing slash).",
		scope: "world",
		config: true,
		type: String,
		default: "",
	});

	game.settings.register(MODULE_ID, "sharedSecret", {
		name: "Shared Secret",
		hint: "Bridge secret — must match Foundry Settings → Shared Secret on the Frappe side. Readable by any connected client; rotate if compromised.",
		scope: "world",
		config: true,
		type: String,
		default: "",
		secret: true,
	});

	game.settings.register(MODULE_ID, "worldId", {
		name: "World ID",
		hint: "Identifier sent in the X-Bridge-World header. If you've configured Allowed World IDs on the Frappe side, this must be one of them. Leave blank to use the current Foundry world's id.",
		scope: "world",
		config: true,
		type: String,
		default: "",
	});

	game.settings.register(MODULE_ID, "manifestSyncIntervalMinutes", {
		name: "Manifest Sync Interval (minutes)",
		hint: "How often to push the actor manifest while the world is open. 0 disables periodic sync; on/create/delete pushes still fire.",
		scope: "world",
		config: true,
		type: Number,
		default: 15,
		range: { min: 0, max: 120, step: 1 },
	});
}