"""
Supabase anon client (singleton) — used for user-side auth operations.

This client uses SUPABASE_PUBLISHABLE_KEY (no RLS bypass, no admin privileges).
Its sole purpose is to host auth operations that MUTATE the client's session state
(sign_in_with_password, refresh_session). Keeping these calls isolated from the admin
client (supabase_client.py) prevents the admin client's state from being switched to
the user's session, which would break subsequent DB queries.

Usage (in auth_service.py):
    from app.core.supabase_anon_client import supabase_anon

    auth_response = supabase_anon.auth.sign_in_with_password({...})
    # supabase_anon is now in user-session state, but supabase (admin) is untouched
"""
from supabase import Client, create_client

from app.core.config import settings


def _build_anon_client() -> Client:
    """
    Build the anon Supabase client at module load.
    Fails fast if credentials are missing.
    """
    if not settings.SUPABASE_URL:
        raise RuntimeError(
            "SUPABASE_URL is not set in .env. Cannot initialize anon client."
        )
    if not settings.SUPABASE_PUBLISHABLE_KEY:
        raise RuntimeError(
            "SUPABASE_PUBLISHABLE_KEY is not set in .env. Cannot initialize anon client."
        )

    return create_client(
        supabase_url=settings.SUPABASE_URL,
        supabase_key=settings.SUPABASE_PUBLISHABLE_KEY,
    )


# Singleton instance — created once at module import, shared everywhere
supabase_anon: Client = _build_anon_client()
