/**
 * @file no-direct-process-env.js
 * Enforce centralized env/config access.
 *
 * Prefer:
 * - getWebsiteServerEnv()/getWebsitePublicEnv() from '@/lib/config/env'
 * - getWebsiteApiBaseUrl() from '@/lib/config/apiBaseUrl'
 */

module.exports = {
  meta: {
    type: 'problem',
    docs: {
      description: 'Forbid direct process.env reads outside of config modules',
      category: 'Configuration',
      recommended: true,
    },
    schema: [],
    messages: {
      noProcessEnv:
        'Do not read process.env directly here. Use `getWebsiteServerEnv()` / `getWebsitePublicEnv()` (apps/website/lib/config/env.ts) or a dedicated config helper (e.g. getWebsiteApiBaseUrl()).',
    },
  },

  create(context) {
    const filename = context.getFilename();

    // Allow env reads in config layer and low-level infrastructure that must branch by env.
    if (
      filename.includes('/lib/config/') ||
      filename.includes('/lib/infrastructure/logging/') ||
      filename.includes('/eslint-rules/')
    ) {
      return {};
    }

    return {
      MemberExpression(node) {
        // process.env.X
        if (
          node.object &&
          node.object.type === 'MemberExpression' &&
          node.object.object &&
          node.object.object.type === 'Identifier' &&
          node.object.object.name === 'process' &&
          node.object.property &&
          node.object.property.type === 'Identifier' &&
          node.object.property.name === 'env'
        ) {
          context.report({ node, messageId: 'noProcessEnv' });
        }
      },
    };
  },
};