use crate::report::LeakTransport;
use hickory_proto::op::{Message, MessageType};
use serde::{Deserialize, Serialize};
use std::net::IpAddr;
use wtfnet_platform::FlowProtocol;

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ClassifiedEvent {
    pub timestamp_ms: u128,
    pub proto: FlowProtocol,
    pub src_ip: IpAddr,
    pub src_port: u16,
    pub dst_ip: IpAddr,
    pub dst_port: u16,
    pub iface_name: Option<String>,
    pub transport: LeakTransport,
    pub qname: Option<String>,
    pub qtype: Option<String>,
    pub rcode: Option<String>,
}

pub fn classify_dns_query(payload: &[u8]) -> Option<(String, String, String)> {
    let message = Message::from_vec(payload).ok()?;
    if message.message_type() != MessageType::Query {
        return None;
    }
    let query = message.queries().first()?;
    let qname = query.name().to_utf8();
    let qtype = query.query_type().to_string();
    let rcode = message.response_code().to_string();
    Some((qname, qtype, rcode))
}