<?php
/**
 * POST /api/hub/messages/delete.php
 *
 * Soft-delete a message. Only the sender or channel admin/owner can delete.
 *
 * Body:
 *   MessageID      int     REQUIRED
 *   AgentAddress   string  REQUIRED  who is requesting the delete
 *
 * Response: { OK: true }
 */

require_once __DIR__ . '/../../helpers.php';

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    jsonResponse(['OK' => false, 'ERROR' => 'method_not_allowed'], 405);
}

$body = readJsonBody();

$messageId = (int) ($body['MessageID'] ?? 0);
$agentAddress = trim($body['AgentAddress'] ?? '');

if ($messageId <= 0) jsonResponse(['OK' => false, 'ERROR' => 'message_id_required']);
if ($agentAddress === '') jsonResponse(['OK' => false, 'ERROR' => 'agent_address_required']);

$msg = queryOne("SELECT * FROM Hub_Messages WHERE ID = ? AND IsDeleted = 0", [$messageId]);
if (!$msg) jsonResponse(['OK' => false, 'ERROR' => 'message_not_found']);

// Check permission: sender can delete their own, admins/owners can delete any
$allowed = ($msg['SenderAddress'] === $agentAddress);
if (!$allowed) {
    $membership = queryOne(
        "SELECT Role FROM Hub_ChannelMembers WHERE ChannelID = ? AND AgentAddress = ?",
        [(int) $msg['ChannelID'], $agentAddress]
    );
    if ($membership && in_array($membership['Role'], ['admin', 'owner'], true)) {
        $allowed = true;
    }
}

if (!$allowed) jsonResponse(['OK' => false, 'ERROR' => 'permission_denied']);

queryTimed("UPDATE Hub_Messages SET IsDeleted = 1 WHERE ID = ?", [$messageId]);

jsonResponse(['OK' => true]);