"""Serve project media files (video, image) from projects_root().

Path-traversal guard: resolved path must remain under projects_root()/project_id/.
"""
from fastapi import APIRouter, HTTPException
from fastapi.responses import FileResponse

from recoil.api.adapters._ids import validate_project_id
from recoil.core.paths import projects_root

router = APIRouter()


@router.get("/media/{project_id}/{path:path}")
def serve_media(project_id: str, path: str) -> FileResponse:
    try:
        validate_project_id(project_id)
    except (ValueError, KeyError):
        raise HTTPException(status_code=400, detail="Invalid project_id")

    root = projects_root()
    full = (root / project_id / path).resolve()
    project_root = (root / project_id).resolve()

    # Path traversal guard
    if not str(full).startswith(str(project_root) + "/"):
        raise HTTPException(status_code=403, detail="Forbidden")

    if not full.exists() or not full.is_file():
        raise HTTPException(status_code=404, detail="Not found")

    return FileResponse(str(full))