Backend Architecture

@asynccontextmanager
async def lifespan(app: FastAPI):
    """Application lifecycle management."""
    logger.info(f"STARTUP: {settings.APP_NAME} v{settings.APP_VERSION}")
    
    # Validate environment
    validate_environment()
    
    # Initialize database
    await init_db()
    
    yield
    
    logger.info(f"SHUTDOWN: {settings.APP_NAME}")

def create_app() -> FastAPI:
    """Factory for creating FastAPI application."""
    app = FastAPI(
        title=settings.APP_NAME,
        version=settings.APP_VERSION,
        debug=settings.DEBUG,
        lifespan=lifespan,
    )
    
    # Configure middleware
    configure_middleware(app)
    
    # Register routes
    register_routes(app)
    
    return app

app = create_app()

# API Router with version prefix
v1 = APIRouter(prefix="/api/v1")

# Register business routers
api_route_modules = [
    audits,
    reports,
    analytics,
    search,
    pagespeed,
    keywords,
    ai_content,
    webhooks,
    sse,
    # ... other modules
]

for module in api_route_modules:
    v1.include_router(module.router)

app.include_router(v1)

# Global non-versioned routes
app.include_router(health.router)  # /health, /health/ready, /health/live

cors_origins = set(settings.CORS_ORIGINS)

if settings.DEBUG:
    cors_origins.update([
        "http://frontend:3000",
        "http://localhost:3000",
        "http://localhost:8000",
    ])

app.add_middleware(
    CORSMiddleware,
    allow_origins=list(cors_origins),
    allow_credentials=True,  # Required for auth cookies
    allow_methods=["*"],
    allow_headers=["*"],
)

class RateLimitMiddleware(BaseHTTPMiddleware):
    """Redis-backed distributed rate limiting."""
    
    def __init__(self, app,
                 default_limit: int = 100,
                 default_window: int = 60,
                 endpoint_limits: Dict[str, Tuple[int, int]] = None):
        self.endpoint_limits = endpoint_limits or {}
        # Endpoint-specific limits

endpoint_limits = {
    "/api/v1/auth": (10, 60),              # 10/min - prevent brute force
    "/api/v1/audits": (600, 60),           # 600/min - polling support
    "/api/v1/audits/generate-pdf": (10, 60), # 10/min - heavy operation
    "/api/v1/search": (30, 60),            # 30/min
    "/api/v1/webhooks": (1000, 60),        # Unlimited (internal)
}

class SecurityHeadersMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request: Request, call_next):
        response = await call_next(request)
        
        # Security headers
        response.headers["X-Content-Type-Options"] = "nosniff"
        response.headers["X-Frame-Options"] = "DENY"
        response.headers["X-XSS-Protection"] = "1; mode=block"
        response.headers["Strict-Transport-Security"] = "max-age=31536000"
        response.headers["Referrer-Policy"] = "strict-origin-when-cross-origin"
        
        # Content Security Policy
        response.headers["Content-Security-Policy"] = csp_directives
        
        return response

from uvicorn.middleware.proxy_headers import ProxyHeadersMiddleware

app.add_middleware(
    ProxyHeadersMiddleware,
    trusted_hosts=settings.FORWARDED_ALLOW_IPS
)

class RequestValidationMiddleware(BaseHTTPMiddleware):
    MAX_CONTENT_LENGTH = 10 * 1024 * 1024  # 10 MB
    MAX_URL_LENGTH = 2048
    
    async def dispatch(self, request: Request, call_next):
        # Check URL length
        if len(str(request.url)) > self.MAX_URL_LENGTH:
            return JSONResponse(status_code=414)
        
        # Check content length
        if content_length > self.MAX_CONTENT_LENGTH:
            return JSONResponse(status_code=413)
        
        # Block path traversal, XSS attempts, etc.
        suspicious_patterns = ["../", "<script", "javascript:", ...]
        
        return await call_next(request)

class RequestLoggingMiddleware(BaseHTTPMiddleware):
    async def dispatch(self, request: Request, call_next):
        start_time = time.time()
        response = await call_next(request)
        duration = time.time() - start_time
        
        logger.info(
            f"{request.method} {request.url.path} "
            f"- {response.status_code} "
            f"- {client_ip} "
            f"- {duration:.3f}s"
        )
        
        response.headers["X-Response-Time"] = f"{duration:.3f}s"
        return response

class AuditService:
    """Service for managing audits."""
    
    @staticmethod
    def create_audit(db: Session, audit_create: AuditCreate) -> Audit:
        """Create new audit with idempotency check."""
        # Check for active audits (prevent duplicates)
        active_audit = db.query(Audit).filter(
            Audit.url == url,
            Audit.status.in_([AuditStatus.PENDING, AuditStatus.RUNNING]),
        ).first()
        
        if active_audit:
            return active_audit
        
        # Create new audit
        audit = Audit(...)
        db.add(audit)
        db.commit()
        
        # Invalidate cache
        cache.delete(f"audits_list_{user_email}")
        
        return audit
    
    @staticmethod
    def progress_channel(audit_id: int) -> str:
        """Get Redis channel for audit progress."""
        return f"audit:progress:{audit_id}"
    
    @staticmethod
    def build_progress_payload(audit: Audit) -> dict:
        """Build progress payload for real-time updates."""
        return {
            "audit_id": audit.id,
            "status": audit.status,
            "progress": audit.progress,
            "geo_score": audit.geo_score,
            "total_pages": audit.total_pages,
        }

from app.core.auth import get_current_user, AuthUser
from app.core.access_control import ensure_audit_access

@router.get("/audits/{audit_id}")
async def get_audit(
    audit_id: int,
    current_user: AuthUser = Depends(get_current_user),
    db: Session = Depends(get_db)
):
    audit = AuditService.get_audit(db, audit_id)
    ensure_audit_access(audit, current_user)  # Check ownership
    return audit

def custom_openapi():
    openapi_schema = get_openapi(
        title="🎯 " + settings.APP_NAME,
        version=settings.APP_VERSION,
        summary="Plataforma de Auditoría SEO & GEO",
        routes=app.routes,
    )
    
    # Add security scheme
    openapi_schema["components"]["securitySchemes"] = {
        "HTTPBearer": {"type": "http", "scheme": "bearer"}
    }
    
    # Public endpoints (no auth required)
    public_operations = {
        ("post", "/api/v1/webhooks/github/incoming"),
        ("get", "/health"),
    }
    
    # Apply security to all endpoints except public
    for path, methods in openapi_schema["paths"].items():
        for method, operation in methods.items():
            if (method, path) not in public_operations:
                operation["security"] = [{"HTTPBearer": []}]
    
    return openapi_schema

app.openapi = custom_openapi