guardia-itsm/routers/si_risks.py

"""
위험 관리 API — 확률×영향 매트릭스, 자동 이슈 전환.

엔드포인트:
  GET    /api/si/projects/{pid}/risks         — 위험 목록 (레벨 필터)
  POST   /api/si/projects/{pid}/risks         — 위험 등록
  GET    /api/si/projects/{pid}/risks/{id}    — 위험 상세
  PATCH  /api/si/projects/{pid}/risks/{id}    — 위험 수정
  DELETE /api/si/projects/{pid}/risks/{id}    — 위험 삭제
  POST   /api/si/projects/{pid}/risks/{id}/convert-to-issue — 위험 → 이슈 전환
  GET    /api/si/projects/{pid}/risks/matrix  — 위험 매트릭스 (3×3 히트맵용)

위험 점수: probability_level × impact_level (1~9)
  9       → CRITICAL
  5~8     → HIGH (HIGH×HIGH=9 시 자동 이슈 전환 알림)
  3~4     → MEDIUM
  1~2     → LOW
"""
from __future__ import annotations

import logging
from datetime import datetime
from typing import List, Optional
from uuid import uuid4

from fastapi import APIRouter, Depends, HTTPException, Query
from sqlalchemy import select, desc
from sqlalchemy.ext.asyncio import AsyncSession

from core.auth import get_current_user
from database import get_db
from models import (
    SiProject, ProjectRisk, ProjectIssue,
    ProjectRiskCreate, ProjectRiskOut, ProjectRiskUpdate,
    IssueType, IssueStatus, RiskLevel, RiskStatus,
    User, UserRole,
)

logger = logging.getLogger(__name__)
router = APIRouter(prefix="/api/si/projects", tags=["si-risks"])


def _new_risk_id() -> str:
    return f"RSK-{datetime.now().strftime('%Y%m%d')}-{str(uuid4())[:5].upper()}"


def _new_issue_id() -> str:
    return f"ISS-{datetime.now().strftime('%Y%m%d')}-{str(uuid4())[:5].upper()}"


def _calc_risk_level(score: int) -> str:
    if score >= 9:
        return RiskLevel.CRITICAL
    if score >= 5:
        return RiskLevel.HIGH
    if score >= 3:
        return RiskLevel.MEDIUM
    return RiskLevel.LOW


# ── 목록 ──────────────────────────────────────────────────────────────────────

@router.get("/{project_id}/risks", response_model=List[ProjectRiskOut])
async def list_risks(
    project_id: int,
    risk_level: Optional[str] = Query(None),
    status:     Optional[str] = Query(None),
    category:   Optional[str] = Query(None),
    db: AsyncSession = Depends(get_db),
    current_user: User = Depends(get_current_user),
):
    await _assert_project(project_id, db)
    q = select(ProjectRisk).where(ProjectRisk.project_id == project_id)

    if risk_level:
        q = q.where(ProjectRisk.risk_level == risk_level)
    if status:
        q = q.where(ProjectRisk.status == status)
    if category:
        q = q.where(ProjectRisk.category == category)

    q = q.order_by(desc(ProjectRisk.risk_score))
    return (await db.execute(q)).scalars().all()


# ── 생성 ──────────────────────────────────────────────────────────────────────

@router.post("/{project_id}/risks", response_model=ProjectRiskOut, status_code=201)
async def create_risk(
    project_id: int,
    body: ProjectRiskCreate,
    db: AsyncSession = Depends(get_db),
    current_user: User = Depends(get_current_user),
):
    await _assert_project(project_id, db)

    score = body.probability_level * body.impact_level
    level = _calc_risk_level(score)

    risk = ProjectRisk(
        risk_id           = _new_risk_id(),
        project_id        = project_id,
        title             = body.title,
        description       = body.description,
        category          = body.category,
        probability_level = body.probability_level,
        impact_level      = body.impact_level,
        risk_score        = score,
        risk_level        = level,
        mitigation_plan   = body.mitigation_plan,
        contingency_plan  = body.contingency_plan,
        owner             = body.owner,
        due_date          = body.due_date,
    )
    db.add(risk)
    await db.commit()
    await db.refresh(risk)

    # CRITICAL 위험 자동 알림
    if level in (RiskLevel.CRITICAL, RiskLevel.HIGH):
        logger.warning(
            "고위험 등록: project_id=%d risk=%s level=%s score=%d",
            project_id, risk.risk_id, level, score,
        )

    return risk


# ── 상세 ──────────────────────────────────────────────────────────────────────

@router.get("/{project_id}/risks/{risk_id}", response_model=ProjectRiskOut)
async def get_risk(
    project_id: int, risk_id: int,
    db: AsyncSession = Depends(get_db),
    current_user: User = Depends(get_current_user),
):
    return await _get_risk_or_404(project_id, risk_id, db)


# ── 수정 ──────────────────────────────────────────────────────────────────────

@router.patch("/{project_id}/risks/{risk_id}", response_model=ProjectRiskOut)
async def update_risk(
    project_id: int, risk_id: int,
    body: ProjectRiskUpdate,
    db: AsyncSession = Depends(get_db),
    current_user: User = Depends(get_current_user),
):
    risk = await _get_risk_or_404(project_id, risk_id, db)

    data = body.model_dump(exclude_none=True)
    for field, val in data.items():
        setattr(risk, field, val)

    # 확률/영향 변경 시 점수 재계산
    if "probability_level" in data or "impact_level" in data:
        risk.risk_score = risk.probability_level * risk.impact_level
        risk.risk_level = _calc_risk_level(risk.risk_score)

    await db.commit()
    await db.refresh(risk)
    return risk


# ── 위험 → 이슈 전환 ──────────────────────────────────────────────────────────

@router.post("/{project_id}/risks/{risk_id}/convert-to-issue")
async def convert_risk_to_issue(
    project_id: int, risk_id: int,
    db: AsyncSession = Depends(get_db),
    current_user: User = Depends(get_current_user),
):
    """위험이 실제 발생했을 때 이슈로 전환."""
    if current_user.role not in (UserRole.ADMIN, UserRole.PM):
        raise HTTPException(403, "PM 이상 권한 필요")
    risk = await _get_risk_or_404(project_id, risk_id, db)

    if risk.converted_to_issue:
        raise HTTPException(400, "이미 이슈로 전환된 위험입니다")

    issue = ProjectIssue(
        issue_id    = _new_issue_id(),
        project_id  = project_id,
        issue_type  = IssueType.OTHER,
        title       = f"[위험 전환] {risk.title}",
        description = risk.description,
        priority    = "HIGH" if risk.risk_level in ("HIGH", "CRITICAL") else "MEDIUM",
        raised_by   = current_user.username,
        impact      = f"위험 점수: {risk.risk_score} ({risk.risk_level})\n완화 계획: {risk.mitigation_plan or '없음'}",
        from_risk_id = risk.id,
    )
    db.add(issue)

    risk.converted_to_issue = True
    risk.status = RiskStatus.OPEN

    await db.commit()
    await db.refresh(issue)
    return {"message": "위험이 이슈로 전환되었습니다", "issue_id": issue.issue_id}


# ── 삭제 ──────────────────────────────────────────────────────────────────────

@router.delete("/{project_id}/risks/{risk_id}", status_code=204)
async def delete_risk(
    project_id: int, risk_id: int,
    db: AsyncSession = Depends(get_db),
    current_user: User = Depends(get_current_user),
):
    if current_user.role not in (UserRole.ADMIN, UserRole.PM):
        raise HTTPException(403, "PM 이상 권한 필요")
    risk = await _get_risk_or_404(project_id, risk_id, db)
    await db.delete(risk)
    await db.commit()


# ── 위험 매트릭스 ─────────────────────────────────────────────────────────────

@router.get("/{project_id}/risks/matrix")
async def get_risk_matrix(
    project_id: int,
    db: AsyncSession = Depends(get_db),
    current_user: User = Depends(get_current_user),
):
    """3×3 위험 매트릭스 히트맵 데이터. 셀별 위험 목록 반환."""
    await _assert_project(project_id, db)
    risks = (await db.execute(
        select(ProjectRisk).where(
            ProjectRisk.project_id == project_id,
            ProjectRisk.status == RiskStatus.OPEN,
        )
    )).scalars().all()

    # 3×3 매트릭스 초기화 (probability × impact)
    matrix: dict = {}
    for p in (1, 2, 3):
        for i in (1, 2, 3):
            matrix[f"{p}x{i}"] = {
                "probability": p, "impact": i,
                "score": p * i,
                "level": _calc_risk_level(p * i),
                "risks": [],
            }

    for r in risks:
        key = f"{r.probability_level}x{r.impact_level}"
        if key in matrix:
            matrix[key]["risks"].append({
                "id":      r.id,
                "risk_id": r.risk_id,
                "title":   r.title,
                "owner":   r.owner,
            })

    return {
        "project_id": project_id,
        "open_risks": len(risks),
        "matrix": list(matrix.values()),
    }


# ── 내부 헬퍼 ─────────────────────────────────────────────────────────────────

async def _assert_project(project_id: int, db: AsyncSession) -> None:
    if not (await db.execute(
        select(SiProject).where(SiProject.id == project_id)
    )).scalars().first():
        raise HTTPException(404, f"SI 프로젝트 {project_id}를 찾을 수 없습니다")


async def _get_risk_or_404(project_id: int, risk_id: int, db: AsyncSession) -> ProjectRisk:
    risk = (await db.execute(
        select(ProjectRisk).where(
            ProjectRisk.id == risk_id,
            ProjectRisk.project_id == project_id,
        )
    )).scalars().first()
    if not risk:
        raise HTTPException(404, "위험을 찾을 수 없습니다")
    return risk