client.go

package client

import (
	"bytes"
	"context"
	"encoding/base64"
	"encoding/json"
	"errors"
	"fmt"
	"io"
	"net"
	"net/http"
	"net/netip"
	"net/url"
	"strings"
	"sync"
	"time"

	ory "github.com/ory/client-go"
	"github.com/ory/x/urlx"
)

// ErrCustomDomainNotFound is returned when a custom domain ID is not found in the project's domain list.
var ErrCustomDomainNotFound = errors.New("custom domain not found")

// ErrConsoleClientNotConfigured is returned when a console API method is called
// without a workspace API key configured. Callers can check with errors.Is.
var ErrConsoleClientNotConfigured = errors.New("console API client not configured")

const (
	// maxRetries is the maximum number of retry attempts for rate-limited requests.
	maxRetries = 3
	// initialBackoff is the initial backoff duration before first retry.
	initialBackoff = 1 * time.Second
)

const (
	// DefaultConsoleAPIURL is the default Ory Console API URL.
	DefaultConsoleAPIURL = "https://api.console.ory.sh"
	// DefaultProjectAPIURL is the default Ory Project API URL template.
	// The %s placeholder is replaced with the project slug.
	DefaultProjectAPIURL = "https://%s.projects.oryapis.com"
	// schemeHTTPS and schemeHTTP are used in URL scheme validation.
	schemeHTTPS = "https"
	schemeHTTP  = "http"
)

// oryAPIError represents the error structure returned by Ory APIs.
type oryAPIError struct {
	Error struct {
		ID      string `json:"id"`
		Code    int    `json:"code"`
		Status  string `json:"status"`
		Request string `json:"request"`
		Reason  string `json:"reason"`
		Message string `json:"message"`
		Details struct {
			Feature string `json:"feature"`
		} `json:"details"`
	} `json:"error"`
}

// OryErrorDebugInfo contains comprehensive debug information for API errors.
type OryErrorDebugInfo struct {
	StatusCode   int
	ErrorID      string
	ErrorMessage string
	ErrorReason  string
	RequestID    string
	Feature      string
	RawBody      string
	ErrorType    string
}

// String formats the debug info for logging.
func (d OryErrorDebugInfo) String() string {
	return fmt.Sprintf(`
======================================================================
ORY API ERROR DEBUG INFO
======================================================================
Error Type: %s
Status Code: %d
Error ID: %s
Error Message: %s
Error Reason: %s
Request ID: %s
Feature: %s
----------------------------------------------------------------------
Raw Response Body:
%s
----------------------------------------------------------------------
NOTE: Provide the Request ID to Ory support for debugging.
======================================================================`,
		d.ErrorType, d.StatusCode, d.ErrorID, d.ErrorMessage,
		d.ErrorReason, d.RequestID, d.Feature, d.RawBody)
}

// extractDebugInfo extracts comprehensive debug information from an error.
func extractDebugInfo(err error) OryErrorDebugInfo {
	info := OryErrorDebugInfo{
		ErrorType: fmt.Sprintf("%T", err),
	}

	if err == nil {
		return info
	}

	// Try to extract the error body from GenericOpenAPIError
	var bodyStr string
	var apiErr *ory.GenericOpenAPIError
	if errors.As(err, &apiErr) {
		bodyStr = string(apiErr.Body())
		info.RawBody = bodyStr
	} else {
		// Try to find JSON in the error string
		errStr := err.Error()
		info.RawBody = errStr
		if idx := strings.Index(errStr, "{"); idx >= 0 {
			bodyStr = errStr[idx:]
		}
	}

	if bodyStr == "" {
		return info
	}

	var parsed oryAPIError
	if jsonErr := json.Unmarshal([]byte(bodyStr), &parsed); jsonErr == nil {
		info.StatusCode = parsed.Error.Code
		info.ErrorID = parsed.Error.ID
		info.ErrorMessage = parsed.Error.Message
		info.ErrorReason = parsed.Error.Reason
		info.RequestID = parsed.Error.Request
		info.Feature = parsed.Error.Details.Feature
	}

	return info
}

// parseFeatureError attempts to extract feature availability info from an error.
// Returns the feature name and reason if this is a feature_not_available error.
func parseFeatureError(err error) (feature string, reason string, requestID string, ok bool) {
	if err == nil {
		return "", "", "", false
	}

	// Try to extract the error body from GenericOpenAPIError
	var bodyStr string
	var apiErr *ory.GenericOpenAPIError
	if errors.As(err, &apiErr) {
		bodyStr = string(apiErr.Body())
	} else {
		// Try to find JSON in the error string
		errStr := err.Error()
		if idx := strings.Index(errStr, "{"); idx >= 0 {
			bodyStr = errStr[idx:]
		}
	}

	if bodyStr == "" {
		return "", "", "", false
	}

	var parsed oryAPIError
	if jsonErr := json.Unmarshal([]byte(bodyStr), &parsed); jsonErr != nil {
		return "", "", "", false
	}

	if parsed.Error.ID == "feature_not_available" {
		return parsed.Error.Details.Feature, parsed.Error.Reason, parsed.Error.Request, true
	}

	return "", "", parsed.Error.Request, false
}

// wrapAPIError enhances API errors with more helpful context.
// It extracts debug information and provides actionable error messages.
func wrapAPIError(err error, operation string) error {
	if err == nil {
		return nil
	}

	// Extract debug info for all errors
	debugInfo := extractDebugInfo(err)

	// Check for feature availability errors first
	if feature, reason, requestID, ok := parseFeatureError(err); ok {
		return fmt.Errorf("%s: feature '%s' not available on current plan.\n"+
			"Reason: %s\n"+
			"Request ID: %s (provide this to Ory support)\n"+
			"\nDebug Info:%s",
			operation, feature, reason, requestID, debugInfo.String())
	}

	errStr := err.Error()

	// EOF errors typically mean the API closed the connection without a response.
	// This often happens when a feature requires an enterprise plan.
	if errors.Is(err, io.EOF) || strings.Contains(errStr, "EOF") || strings.Contains(errStr, "error reading from server") {
		return fmt.Errorf("%s: connection closed by server (EOF). This may indicate:\n"+
			"  - The feature requires an Ory Network enterprise plan (e.g., B2B Organizations)\n"+
			"  - Invalid or expired API credentials\n"+
			"  - Network connectivity issues\n"+
			"Request ID: %s\n"+
			"Original error: %w",
			operation, debugInfo.RequestID, err)
	}

	// Check for common HTTP error patterns
	if strings.Contains(errStr, "401") || strings.Contains(errStr, "Unauthorized") {
		return fmt.Errorf("%s: unauthorized (401).\n"+
			"Check that your API key is valid and has the required permissions.\n"+
			"Request ID: %s\n"+
			"Original error: %w",
			operation, debugInfo.RequestID, err)
	}

	if strings.Contains(errStr, "403") || strings.Contains(errStr, "Forbidden") {
		return fmt.Errorf("%s: forbidden (403).\n"+
			"Your API key may not have permission for this operation, or the feature may require an enterprise plan.\n"+
			"Request ID: %s\n"+
			"Error Reason: %s\n"+
			"Original error: %w",
			operation, debugInfo.RequestID, debugInfo.ErrorReason, err)
	}

	if strings.Contains(errStr, "404") || strings.Contains(errStr, "Not Found") {
		return fmt.Errorf("%s: resource not found (404).\n"+
			"Verify the resource ID and project configuration.\n"+
			"Request ID: %s\n"+
			"Original error: %w",
			operation, debugInfo.RequestID, err)
	}

	// For any other error, include the request ID if available
	if debugInfo.RequestID != "" {
		return fmt.Errorf("%s: %w (Request ID: %s)", operation, err, debugInfo.RequestID)
	}

	return err
}

// isRateLimitError checks if the error is a rate limit (429) error.
func isRateLimitError(err error) bool {
	if err == nil {
		return false
	}
	errStr := err.Error()
	return strings.Contains(errStr, "429") || strings.Contains(errStr, "Too Many Requests")
}

// isRetryableError checks if the error is a server error (5xx) that should be retried.
func isRetryableError(err error) bool {
	if err == nil {
		return false
	}
	errStr := err.Error()
	return strings.Contains(errStr, "500") ||
		strings.Contains(errStr, "502") ||
		strings.Contains(errStr, "503") ||
		strings.Contains(errStr, "504") ||
		strings.Contains(errStr, "Internal Server Error") ||
		strings.Contains(errStr, "Bad Gateway") ||
		strings.Contains(errStr, "Service Unavailable") ||
		strings.Contains(errStr, "Gateway Timeout")
}

// IsTransientError reports whether err is a transient API error (5xx or 429)
// that is safe to retry, as opposed to a permanent error (4xx auth/permission)
// that should fail fast.
func IsTransientError(err error) bool {
	return isRetryableError(err) || isRateLimitError(err)
}

// retryWithBackoff executes a function with exponential backoff on rate limit errors.
func retryWithBackoff[T any](ctx context.Context, operation string, fn func() (T, error)) (T, error) {
	var result T
	var err error
	backoff := initialBackoff

	for attempt := 0; attempt <= maxRetries; attempt++ {
		result, err = fn()
		if err == nil {
			return result, nil
		}

		if !isRateLimitError(err) {
			return result, err
		}

		if attempt == maxRetries {
			return result, fmt.Errorf("%s: rate limit exceeded after %d retries: %w", operation, maxRetries, err)
		}

		// Wait before retrying
		select {
		case <-ctx.Done():
			return result, ctx.Err()
		case <-time.After(backoff):
			backoff *= 2 // Exponential backoff
		}
	}

	return result, err
}

// OryClientConfig holds configuration for the Ory API client.
type OryClientConfig struct {
	WorkspaceAPIKey string
	ProjectAPIKey   string
	ProjectID       string
	ProjectSlug     string
	WorkspaceID     string
	ConsoleAPIURL   string
	ProjectAPIURL   string // URL template with %s placeholder for slug (e.g., "https://%s.projects.oryapis.com")
	UserAgent       string
}

// OryClient wraps the Ory SDK clients.
// Ory Network uses two different APIs:
// 1. Console API (api.console.ory.sh) - for projects, workspaces, organizations
// 2. Project API ({slug}.projects.oryapis.com) - for identities, OAuth2 clients
type OryClient struct {
	config OryClientConfig

	// Console API client (for organizations, projects, workspaces)
	consoleClient *ory.APIClient

	// Project API client (for identities, OAuth2)
	projectClient   *ory.APIClient
	projectClientMu sync.Mutex

	// cachedProjects stores PatchProject responses to avoid stale GetProject reads.
	// The Ory API has eventual consistency: GetProject may return stale data
	// immediately after PatchProject. This cache ensures Read operations
	// see the latest state after Create/Update.
	cachedProjects sync.Map

	// cachedSlugs caches project ID -> slug mappings resolved via the console API.
	// This avoids redundant API calls when multiple CRUD operations resolve the
	// same project_id within a single Terraform run.
	cachedSlugs sync.Map
}

// NewOryClient creates a new Ory API client.
func NewOryClient(cfg OryClientConfig) (*OryClient, error) {
	client := &OryClient{config: cfg}

	// Initialize console client if workspace API key is provided
	if cfg.WorkspaceAPIKey != "" {
		// Validate the console API URL
		parsedURL, err := urlx.Parse(cfg.ConsoleAPIURL)
		if err != nil {
			return nil, fmt.Errorf("invalid console API URL %q: %w", cfg.ConsoleAPIURL, err)
		}
		if parsedURL.Scheme != schemeHTTPS && parsedURL.Scheme != schemeHTTP {
			return nil, fmt.Errorf("invalid console API URL %q: must use http or https scheme", cfg.ConsoleAPIURL)
		}

		consoleCfg := ory.NewConfiguration()
		consoleCfg.UserAgent = cfg.UserAgent
		consoleCfg.Host = parsedURL.Host
		consoleCfg.Scheme = parsedURL.Scheme
		consoleCfg.Servers = ory.ServerConfigurations{
			{URL: cfg.ConsoleAPIURL},
		}
		consoleCfg.AddDefaultHeader("Authorization", "Bearer "+cfg.WorkspaceAPIKey)

		// CRITICAL: The SDK has hardcoded operation-specific server URLs for all
		// console API operations (ProjectAPI, WorkspaceAPI, EventsAPI). These override
		// the main Servers config. We must override each operation to use our custom URL.
		consoleServer := ory.ServerConfigurations{{URL: cfg.ConsoleAPIURL}}
		consoleCfg.OperationServers = map[string]ory.ServerConfigurations{
			// ProjectAPI operations
			"ProjectAPIService.CreateProject":                          consoleServer,
			"ProjectAPIService.GetProject":                             consoleServer,
			"ProjectAPIService.ListProjects":                           consoleServer,
			"ProjectAPIService.PatchProject":                           consoleServer,
			"ProjectAPIService.PatchProjectWithRevision":               consoleServer,
			"ProjectAPIService.PurgeProject":                           consoleServer,
			"ProjectAPIService.SetProject":                             consoleServer,
			"ProjectAPIService.GetProjectMembers":                      consoleServer,
			"ProjectAPIService.RemoveProjectMember":                    consoleServer,
			"ProjectAPIService.CreateProjectApiKey":                    consoleServer,
			"ProjectAPIService.DeleteProjectApiKey":                    consoleServer,
			"ProjectAPIService.ListProjectApiKeys":                     consoleServer,
			"ProjectAPIService.CreateOrganization":                     consoleServer,
			"ProjectAPIService.DeleteOrganization":                     consoleServer,
			"ProjectAPIService.GetOrganization":                        consoleServer,
			"ProjectAPIService.ListOrganizations":                      consoleServer,
			"ProjectAPIService.UpdateOrganization":                     consoleServer,
			"ProjectAPIService.CreateOrganizationOnboardingPortalLink": consoleServer,
			"ProjectAPIService.DeleteOrganizationOnboardingPortalLink": consoleServer,
			"ProjectAPIService.GetOrganizationOnboardingPortalLinks":   consoleServer,
			"ProjectAPIService.UpdateOrganizationOnboardingPortalLink": consoleServer,
			// WorkspaceAPI operations
			"WorkspaceAPIService.CreateWorkspace":       consoleServer,
			"WorkspaceAPIService.GetWorkspace":          consoleServer,
			"WorkspaceAPIService.ListWorkspaces":        consoleServer,
			"WorkspaceAPIService.UpdateWorkspace":       consoleServer,
			"WorkspaceAPIService.ListWorkspaceProjects": consoleServer,
			// EventsAPI operations
			"EventsAPIService.CreateEventStream": consoleServer,
			"EventsAPIService.DeleteEventStream": consoleServer,
			"EventsAPIService.ListEventStreams":  consoleServer,
			"EventsAPIService.SetEventStream":    consoleServer,
		}

		client.consoleClient = ory.NewAPIClient(consoleCfg)
	}

	// Initialize project client if project API key and slug are provided
	if cfg.ProjectAPIKey != "" && cfg.ProjectSlug != "" {
		// Use configurable URL template, defaulting to production
		projectAPIURL := cfg.ProjectAPIURL
		if projectAPIURL == "" {
			projectAPIURL = DefaultProjectAPIURL
		}
		// Format the URL template with the project slug and validate it
		formattedURL := fmt.Sprintf(projectAPIURL, cfg.ProjectSlug)
		parsedURL, err := urlx.Parse(formattedURL)
		if err != nil {
			return nil, fmt.Errorf("invalid project API URL %q: %w", formattedURL, err)
		}
		if parsedURL.Scheme != schemeHTTPS && parsedURL.Scheme != schemeHTTP {
			return nil, fmt.Errorf("invalid project API URL %q: must use http or https scheme", formattedURL)
		}

		projectCfg := ory.NewConfiguration()
		projectCfg.UserAgent = cfg.UserAgent
		projectCfg.Host = parsedURL.Host
		projectCfg.Scheme = parsedURL.Scheme
		projectCfg.Servers = ory.ServerConfigurations{
			{URL: formattedURL},
		}
		projectCfg.AddDefaultHeader("Authorization", "Bearer "+cfg.ProjectAPIKey)
		client.projectClient = ory.NewAPIClient(projectCfg)
	}

	return client, nil
}

// ConsoleAPI returns the console API client.
func (c *OryClient) ConsoleAPI() *ory.APIClient {
	return c.consoleClient
}

// ProjectAPI returns the project API client.
func (c *OryClient) ProjectAPI() *ory.APIClient {
	return c.projectClient
}

// Config returns the client configuration.
func (c *OryClient) Config() OryClientConfig {
	return c.config
}

// ProjectID returns the configured project ID.
func (c *OryClient) ProjectID() string {
	return c.config.ProjectID
}

// WorkspaceID returns the configured workspace ID.
func (c *OryClient) WorkspaceID() string {
	return c.config.WorkspaceID
}

// ResolveProjectSlug resolves a project ID to its slug via the console API.
// Results are cached to avoid redundant API calls within a single Terraform run.
func (c *OryClient) ResolveProjectSlug(ctx context.Context, projectID string) (string, error) {
	if projectID == "" {
		return "", fmt.Errorf("project_id must not be empty")
	}
	if slug, ok := c.cachedSlugs.Load(projectID); ok {
		return slug.(string), nil
	}
	if c.consoleClient == nil {
		return "", fmt.Errorf("console API client not configured: workspace_api_key is required to resolve project_id to slug")
	}
	project, err := c.GetProject(ctx, projectID)
	if err != nil {
		return "", fmt.Errorf("resolving project slug for project %s: %w", projectID, err)
	}
	slug := project.GetSlug()
	c.cachedSlugs.Store(projectID, slug)
	return slug, nil
}

// ProjectClientForProject returns a project-scoped client for the given project ID.
// It resolves the project slug via the console API and uses the provider's project API key.
func (c *OryClient) ProjectClientForProject(ctx context.Context, projectID string) (*OryClient, error) {
	slug, err := c.ResolveProjectSlug(ctx, projectID)
	if err != nil {
		return nil, err
	}
	apiKey := c.config.ProjectAPIKey
	if apiKey == "" {
		return nil, fmt.Errorf("project_api_key is required for project API operations (JWK, OAuth2, etc.): " +
			"set it on the provider or via ORY_PROJECT_API_KEY environment variable")
	}
	return c.WithProjectCredentials(slug, apiKey), nil
}

// WithProjectCredentials returns a new OryClient that uses the given project
// credentials. The returned client shares the console client with the parent
// but has its own isolated project client (lazily initialized).
// This avoids race conditions from mutating shared state and is safe for
// concurrent use by multiple resources with different credentials.
func (c *OryClient) WithProjectCredentials(slug, apiKey string) *OryClient {
	newConfig := c.config
	newConfig.ProjectSlug = slug
	newConfig.ProjectAPIKey = apiKey

	return &OryClient{
		config:        newConfig,
		consoleClient: c.consoleClient,
		// projectClient is nil — ensureProjectClient will lazily initialize it
		// projectClientMu and cachedProjects are zero-valued (valid)
	}
}

// ensureProjectClient lazily initializes the project API client.
// Returns an error with a helpful message if credentials are missing.
func (c *OryClient) ensureProjectClient() error {
	c.projectClientMu.Lock()
	defer c.projectClientMu.Unlock()

	if c.projectClient != nil {
		return nil
	}

	if c.config.ProjectSlug == "" || c.config.ProjectAPIKey == "" {
		return fmt.Errorf("project API client not configured: project_slug and project_api_key are required. " +
			"Set them on the provider or pass them as resource-level attributes (project_slug, project_api_key)")
	}

	projectAPIURL := c.config.ProjectAPIURL
	if projectAPIURL == "" {
		projectAPIURL = DefaultProjectAPIURL
	}
	formattedURL := fmt.Sprintf(projectAPIURL, c.config.ProjectSlug)
	parsedURL, err := urlx.Parse(formattedURL)
	if err != nil {
		return fmt.Errorf("invalid project API URL %q: %w", formattedURL, err)
	}
	if parsedURL.Scheme != schemeHTTPS && parsedURL.Scheme != schemeHTTP {
		return fmt.Errorf("invalid project API URL %q: must use http or https scheme", formattedURL)
	}

	projectCfg := ory.NewConfiguration()
	projectCfg.UserAgent = c.config.UserAgent
	projectCfg.Host = parsedURL.Host
	projectCfg.Scheme = parsedURL.Scheme
	projectCfg.Servers = ory.ServerConfigurations{
		{URL: formattedURL},
	}
	projectCfg.AddDefaultHeader("Authorization", "Bearer "+c.config.ProjectAPIKey)
	c.projectClient = ory.NewAPIClient(projectCfg)

	return nil
}

// requireConsoleClient returns an error wrapping ErrConsoleClientNotConfigured
// if the console API client is not initialized (no workspace API key).
// This prevents nil pointer panics when methods are called without credentials.
func (c *OryClient) requireConsoleClient(operation string) error {
	if c.consoleClient == nil {
		return fmt.Errorf("%s: %w. "+
			"Set workspace_api_key (ORY_WORKSPACE_API_KEY) in the provider configuration",
			operation, ErrConsoleClientNotConfigured)
	}
	return nil
}

// =============================================================================
// Project Operations (Console API)
// =============================================================================

// CreateProject creates a new Ory project.
// Returns the project, HTTP response (for status code inspection), and any error.
func (c *OryClient) CreateProject(ctx context.Context, name, environment, homeRegion string) (*ory.Project, *http.Response, error) {
	if err := c.requireConsoleClient("creating project"); err != nil {
		return nil, nil, err
	}
	body := ory.CreateProjectBody{
		Name:        name,
		Environment: environment,
	}
	if c.config.WorkspaceID != "" {
		body.WorkspaceId = ory.PtrString(c.config.WorkspaceID)
	}
	if homeRegion != "" {
		body.HomeRegion = &homeRegion
	}

	project, httpResp, err := c.consoleClient.ProjectAPI.CreateProject(ctx).CreateProjectBody(body).Execute()
	return project, httpResp, err
}

// GetProject retrieves a project by ID.
func (c *OryClient) GetProject(ctx context.Context, projectID string) (*ory.Project, error) {
	if err := c.requireConsoleClient("getting project"); err != nil {
		return nil, err
	}
	project, httpResp, err := c.consoleClient.ProjectAPI.GetProject(ctx, projectID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return project, err
}

// DeleteProject purges a project.
func (c *OryClient) DeleteProject(ctx context.Context, projectID string) error {
	if err := c.requireConsoleClient("deleting project"); err != nil {
		return err
	}
	httpResp, err := c.consoleClient.ProjectAPI.PurgeProject(ctx, projectID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return err
}

// PatchProject applies JSON Patch operations to a project.
// The response is automatically cached to avoid stale GetProject reads.
func (c *OryClient) PatchProject(ctx context.Context, projectID string, patches []ory.JsonPatch) (*ory.SuccessfulProjectUpdate, error) {
	if err := c.requireConsoleClient("patching project"); err != nil {
		return nil, err
	}
	result, httpResp, err := c.consoleClient.ProjectAPI.PatchProject(ctx, projectID).
		JsonPatch(patches).
		Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err == nil && result != nil {
		project := result.GetProject()
		c.cachedProjects.Store(projectID, &project)
	}
	return result, err
}

// GetCachedProject returns the cached project state from the last PatchProject call.
// Returns nil if no cached state exists for this project.
func (c *OryClient) GetCachedProject(projectID string) *ory.Project {
	if v, ok := c.cachedProjects.Load(projectID); ok {
		return v.(*ory.Project)
	}
	return nil
}

// =============================================================================
// Workspace Operations (Console API)
// =============================================================================

// CreateWorkspace creates a new workspace.
func (c *OryClient) CreateWorkspace(ctx context.Context, name string) (*ory.Workspace, error) {
	if err := c.requireConsoleClient("creating workspace"); err != nil {
		return nil, err
	}
	body := ory.CreateWorkspaceBody{
		Name: name,
	}
	workspace, httpResp, err := c.consoleClient.WorkspaceAPI.CreateWorkspace(ctx).CreateWorkspaceBody(body).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return workspace, err
}

// GetWorkspace retrieves a workspace by ID.
// Note: Due to Ory API permission limitations, some API keys can list workspaces
// but not get a specific workspace. We fall back to listing and filtering if
// the direct GET fails with 403.
func (c *OryClient) GetWorkspace(ctx context.Context, workspaceID string) (*ory.Workspace, error) {
	if err := c.requireConsoleClient("getting workspace"); err != nil {
		return nil, err
	}
	workspace, httpResp, err := c.consoleClient.WorkspaceAPI.GetWorkspace(ctx, workspaceID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		// Check if it's a 403 error - try fallback to list
		errStr := err.Error()
		if strings.Contains(errStr, "403") || strings.Contains(errStr, "Forbidden") {
			// Fall back to listing workspaces and finding by ID
			listResp, listHttpResp, listErr := c.consoleClient.WorkspaceAPI.ListWorkspaces(ctx).Execute()
			if listHttpResp != nil {
				_ = listHttpResp.Body.Close()
			}
			if listErr != nil {
				return nil, err // Return original error
			}
			for _, w := range listResp.Workspaces {
				if w.GetId() == workspaceID {
					return &w, nil
				}
			}
			return nil, fmt.Errorf("workspace %s not found", workspaceID)
		}
		return nil, err
	}
	return workspace, nil
}

// UpdateWorkspace updates a workspace.
func (c *OryClient) UpdateWorkspace(ctx context.Context, workspaceID, name string) (*ory.Workspace, error) {
	if err := c.requireConsoleClient("updating workspace"); err != nil {
		return nil, err
	}
	body := ory.UpdateWorkspaceBody{
		Name: name,
	}
	workspace, httpResp, err := c.consoleClient.WorkspaceAPI.UpdateWorkspace(ctx, workspaceID).UpdateWorkspaceBody(body).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return workspace, err
}

// GetProjectEnvironment retrieves the environment (prod, stage, dev) for a project.
func (c *OryClient) GetProjectEnvironment(ctx context.Context, projectID string) (string, error) {
	if c.consoleClient == nil {
		return "", fmt.Errorf("console API client not configured")
	}
	project, httpResp, err := c.consoleClient.ProjectAPI.GetProject(ctx, projectID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return "", err
	}
	return project.GetEnvironment(), nil
}

// =============================================================================
// Organization Operations (Console API with workspace key)
// Organizations require B2B features and a prod/stage project environment.
// =============================================================================

// CreateOrganization creates a new organization.
// Note: Organizations require:
// - An Ory Network plan with B2B features
// - Project environment set to "prod" or "stage" (NOT "dev")
func (c *OryClient) CreateOrganization(ctx context.Context, projectID, label string, domains []string) (*ory.Organization, error) {
	if c.consoleClient == nil {
		return nil, fmt.Errorf("creating organization: console API client not configured. " +
			"Organizations require workspace_api_key (ORY_WORKSPACE_API_KEY) to be set")
	}

	// Ory API requires domains to be an array, not null
	if domains == nil {
		domains = []string{}
	}

	body := ory.OrganizationBody{
		Label:   ory.PtrString(label),
		Domains: domains,
	}

	org, httpResp, err := c.consoleClient.ProjectAPI.CreateOrganization(ctx, projectID).OrganizationBody(body).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "creating organization")
	}
	return org, nil
}

// GetOrganization retrieves an organization by ID.
// Includes retry logic to handle eventual consistency after organization creation.
func (c *OryClient) GetOrganization(ctx context.Context, projectID, orgID string) (*ory.Organization, error) {
	if c.consoleClient == nil {
		return nil, fmt.Errorf("reading organization: console API client not configured. " +
			"Set workspace_api_key (ORY_WORKSPACE_API_KEY)")
	}

	// Retry with backoff for 404 errors (eventual consistency)
	// Use 5 attempts with delays: 1s, 2s, 4s, 8s to handle slow propagation
	var lastErr error
	for attempt := 0; attempt < 5; attempt++ {
		resp, httpResp, err := c.consoleClient.ProjectAPI.GetOrganization(ctx, projectID, orgID).Execute()
		if httpResp != nil {
			_ = httpResp.Body.Close()
		}
		if err == nil {
			return &resp.Organization, nil
		}

		lastErr = err
		errStr := err.Error()

		// Only retry on 404 errors (eventual consistency)
		if !strings.Contains(errStr, "404") && !strings.Contains(errStr, "Not Found") {
			return nil, wrapAPIError(err, "reading organization")
		}

		// Wait before retry (exponential backoff: 1s, 2s, 4s, 8s)
		if attempt < 4 {
			select {
			case <-ctx.Done():
				return nil, ctx.Err()
			case <-time.After(time.Duration(1<<attempt) * time.Second):
			}
		}
	}

	return nil, wrapAPIError(lastErr, "reading organization")
}

// UpdateOrganization updates an organization.
func (c *OryClient) UpdateOrganization(ctx context.Context, projectID, orgID, label string, domains []string) (*ory.Organization, error) {
	if c.consoleClient == nil {
		return nil, fmt.Errorf("updating organization: console API client not configured. " +
			"Set workspace_api_key (ORY_WORKSPACE_API_KEY)")
	}

	// Ory API requires domains to be an array, not null
	if domains == nil {
		domains = []string{}
	}

	body := ory.OrganizationBody{
		Label:   ory.PtrString(label),
		Domains: domains,
	}

	// Retry with backoff for 404 errors (eventual consistency)
	// Use 5 attempts with delays: 1s, 2s, 4s, 8s to handle slow propagation
	var lastErr error
	for attempt := 0; attempt < 5; attempt++ {
		org, httpResp, err := c.consoleClient.ProjectAPI.UpdateOrganization(ctx, projectID, orgID).OrganizationBody(body).Execute()
		if httpResp != nil {
			_ = httpResp.Body.Close()
		}
		if err == nil {
			return org, nil
		}

		lastErr = err
		errStr := err.Error()

		// Only retry on 404 errors (eventual consistency)
		if !strings.Contains(errStr, "404") && !strings.Contains(errStr, "Not Found") {
			return nil, wrapAPIError(err, "updating organization")
		}

		// Wait before retry (exponential backoff: 1s, 2s, 4s, 8s)
		if attempt < 4 {
			select {
			case <-ctx.Done():
				return nil, ctx.Err()
			case <-time.After(time.Duration(1<<attempt) * time.Second):
			}
		}
	}

	return nil, wrapAPIError(lastErr, "updating organization")
}

// DeleteOrganization deletes an organization.
func (c *OryClient) DeleteOrganization(ctx context.Context, projectID, orgID string) error {
	if c.consoleClient == nil {
		return fmt.Errorf("deleting organization: console API client not configured. " +
			"Set workspace_api_key (ORY_WORKSPACE_API_KEY)")
	}
	httpResp, err := c.consoleClient.ProjectAPI.DeleteOrganization(ctx, projectID, orgID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return wrapAPIError(err, "deleting organization")
}

// =============================================================================
// Identity Operations (Project API)
// =============================================================================

// CreateIdentity creates a new identity with retry on rate limit.
func (c *OryClient) CreateIdentity(ctx context.Context, body ory.CreateIdentityBody) (*ory.Identity, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("creating identity: %w", err)
	}
	return retryWithBackoff(ctx, "creating identity", func() (*ory.Identity, error) {
		identity, httpResp, err := c.projectClient.IdentityAPI.CreateIdentity(ctx).CreateIdentityBody(body).Execute()
		if httpResp != nil {
			_ = httpResp.Body.Close()
		}
		return identity, err
	})
}

// GetIdentity retrieves an identity by ID with retry on rate limit.
func (c *OryClient) GetIdentity(ctx context.Context, identityID string) (*ory.Identity, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("getting identity: %w", err)
	}
	return retryWithBackoff(ctx, "getting identity", func() (*ory.Identity, error) {
		identity, httpResp, err := c.projectClient.IdentityAPI.GetIdentity(ctx, identityID).Execute()
		if httpResp != nil {
			_ = httpResp.Body.Close()
		}
		return identity, err
	})
}

// UpdateIdentity updates an identity with retry on rate limit.
func (c *OryClient) UpdateIdentity(ctx context.Context, identityID string, body ory.UpdateIdentityBody) (*ory.Identity, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("updating identity: %w", err)
	}
	return retryWithBackoff(ctx, "updating identity", func() (*ory.Identity, error) {
		identity, httpResp, err := c.projectClient.IdentityAPI.UpdateIdentity(ctx, identityID).UpdateIdentityBody(body).Execute()
		if httpResp != nil {
			_ = httpResp.Body.Close()
		}
		return identity, err
	})
}

// DeleteIdentity deletes an identity with retry on rate limit.
func (c *OryClient) DeleteIdentity(ctx context.Context, identityID string) error {
	if err := c.ensureProjectClient(); err != nil {
		return fmt.Errorf("deleting identity: %w", err)
	}
	_, err := retryWithBackoff(ctx, "deleting identity", func() (struct{}, error) {
		httpResp, err := c.projectClient.IdentityAPI.DeleteIdentity(ctx, identityID).Execute()
		if httpResp != nil {
			_ = httpResp.Body.Close()
		}
		return struct{}{}, err
	})
	return err
}

// =============================================================================
// OAuth2 Client Operations (Project API)
// =============================================================================

// CreateOAuth2Client creates a new OAuth2 client.
func (c *OryClient) CreateOAuth2Client(ctx context.Context, oauthClient ory.OAuth2Client) (*ory.OAuth2Client, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("creating OAuth2 client: %w", err)
	}
	result, httpResp, err := c.projectClient.OAuth2API.CreateOAuth2Client(ctx).OAuth2Client(oauthClient).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return result, err
}

// GetOAuth2Client retrieves an OAuth2 client by ID.
func (c *OryClient) GetOAuth2Client(ctx context.Context, clientID string) (*ory.OAuth2Client, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("reading OAuth2 client: %w", err)
	}
	oauthClient, httpResp, err := c.projectClient.OAuth2API.GetOAuth2Client(ctx, clientID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return oauthClient, err
}

// UpdateOAuth2Client updates an OAuth2 client.
func (c *OryClient) UpdateOAuth2Client(ctx context.Context, clientID string, oauthClient ory.OAuth2Client) (*ory.OAuth2Client, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("updating OAuth2 client: %w", err)
	}
	result, httpResp, err := c.projectClient.OAuth2API.SetOAuth2Client(ctx, clientID).OAuth2Client(oauthClient).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return result, err
}

// DeleteOAuth2Client deletes an OAuth2 client.
func (c *OryClient) DeleteOAuth2Client(ctx context.Context, clientID string) error {
	if err := c.ensureProjectClient(); err != nil {
		return fmt.Errorf("deleting OAuth2 client: %w", err)
	}
	httpResp, err := c.projectClient.OAuth2API.DeleteOAuth2Client(ctx, clientID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return err
}

// =============================================================================
// Project API Key Operations (Console API)
// =============================================================================

// CreateProjectAPIKey creates a new API key for a project.
func (c *OryClient) CreateProjectAPIKey(ctx context.Context, projectID string, body ory.CreateProjectApiKeyRequest) (*ory.ProjectApiKey, error) {
	if err := c.requireConsoleClient("creating project API key"); err != nil {
		return nil, err
	}
	key, httpResp, err := c.consoleClient.ProjectAPI.CreateProjectApiKey(ctx, projectID).CreateProjectApiKeyRequest(body).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return key, err
}

// ListProjectAPIKeys lists all API keys for a project.
func (c *OryClient) ListProjectAPIKeys(ctx context.Context, projectID string) ([]ory.ProjectApiKey, error) {
	if err := c.requireConsoleClient("listing project API keys"); err != nil {
		return nil, err
	}
	keys, httpResp, err := c.consoleClient.ProjectAPI.ListProjectApiKeys(ctx, projectID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return keys, err
}

// DeleteProjectAPIKey deletes an API key with retry logic for transient errors.
func (c *OryClient) DeleteProjectAPIKey(ctx context.Context, projectID, keyID string) error {
	if err := c.requireConsoleClient("deleting project API key"); err != nil {
		return err
	}
	var lastErr error
	backoff := initialBackoff

	for attempt := 0; attempt <= maxRetries; attempt++ {
		httpResp, err := c.consoleClient.ProjectAPI.DeleteProjectApiKey(ctx, projectID, keyID).Execute()
		if httpResp != nil {
			_ = httpResp.Body.Close()
		}

		if err == nil {
			return nil
		}

		lastErr = err

		// Only retry on rate limit or 5xx errors
		if !isRateLimitError(err) && !isRetryableError(err) {
			return err
		}

		if attempt == maxRetries {
			break
		}

		// Wait before retrying
		select {
		case <-ctx.Done():
			return ctx.Err()
		case <-time.After(backoff):
			backoff *= 2 // Exponential backoff
		}
	}

	return fmt.Errorf("deleting API key: failed after %d retries: %w", maxRetries, lastErr)
}

// =============================================================================
// JSON Web Key Set Operations (Project API)
// =============================================================================

// CreateJsonWebKeySet creates a new JWK set.
func (c *OryClient) CreateJsonWebKeySet(ctx context.Context, setID string, body ory.CreateJsonWebKeySet) (*ory.JsonWebKeySet, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("creating JWK set: %w", err)
	}
	jwks, httpResp, err := c.projectClient.JwkAPI.CreateJsonWebKeySet(ctx, setID).CreateJsonWebKeySet(body).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return jwks, err
}

// GetJsonWebKeySet retrieves a JWK set by ID.
func (c *OryClient) GetJsonWebKeySet(ctx context.Context, setID string) (*ory.JsonWebKeySet, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("reading JWK set: %w", err)
	}
	jwks, httpResp, err := c.projectClient.JwkAPI.GetJsonWebKeySet(ctx, setID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return jwks, err
}

// DeleteJsonWebKeySet deletes a JWK set.
func (c *OryClient) DeleteJsonWebKeySet(ctx context.Context, setID string) error {
	if err := c.ensureProjectClient(); err != nil {
		return fmt.Errorf("deleting JWK set: %w", err)
	}
	httpResp, err := c.projectClient.JwkAPI.DeleteJsonWebKeySet(ctx, setID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return err
}

// =============================================================================
// Relationship Operations (Project API - Ory Keto)
// =============================================================================

// CreateRelationship creates a new relationship tuple.
func (c *OryClient) CreateRelationship(ctx context.Context, body ory.CreateRelationshipBody) (*ory.Relationship, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("creating relationship: %w", err)
	}
	rel, httpResp, err := c.projectClient.RelationshipAPI.CreateRelationship(ctx).CreateRelationshipBody(body).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return rel, err
}

// GetRelationships queries relationships.
func (c *OryClient) GetRelationships(ctx context.Context, namespace string, object *string, relation *string, subjectID *string) (*ory.Relationships, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("getting relationships: %w", err)
	}
	req := c.projectClient.RelationshipAPI.GetRelationships(ctx).Namespace(namespace)
	if object != nil {
		req = req.Object(*object)
	}
	if relation != nil {
		req = req.Relation(*relation)
	}
	if subjectID != nil {
		req = req.SubjectId(*subjectID)
	}
	rels, httpResp, err := req.Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return rels, err
}

// DeleteRelationships deletes relationships matching the query.
func (c *OryClient) DeleteRelationships(ctx context.Context, namespace string, object *string, relation *string, subjectID *string) error {
	if err := c.ensureProjectClient(); err != nil {
		return fmt.Errorf("deleting relationships: %w", err)
	}
	req := c.projectClient.RelationshipAPI.DeleteRelationships(ctx).Namespace(namespace)
	if object != nil {
		req = req.Object(*object)
	}
	if relation != nil {
		req = req.Relation(*relation)
	}
	if subjectID != nil {
		req = req.SubjectId(*subjectID)
	}
	httpResp, err := req.Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return err
}

// =============================================================================
// Event Stream Operations (Console API)
// =============================================================================

// CreateEventStream creates a new event stream for a project.
func (c *OryClient) CreateEventStream(ctx context.Context, projectID string, body ory.CreateEventStreamBody) (*ory.EventStream, error) {
	if err := c.requireConsoleClient("creating event stream"); err != nil {
		return nil, err
	}
	stream, httpResp, err := c.consoleClient.EventsAPI.CreateEventStream(ctx, projectID).CreateEventStreamBody(body).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "creating event stream")
	}
	return stream, nil
}

// GetEventStream retrieves an event stream by listing all and filtering by ID.
// The Ory API does not have a direct GET endpoint for event streams.
func (c *OryClient) GetEventStream(ctx context.Context, projectID, streamID string) (*ory.EventStream, error) {
	if err := c.requireConsoleClient("getting event stream"); err != nil {
		return nil, err
	}
	list, httpResp, err := c.consoleClient.EventsAPI.ListEventStreams(ctx, projectID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "listing event streams")
	}

	for _, s := range list.GetEventStreams() {
		if s.GetId() == streamID {
			return &s, nil
		}
	}
	return nil, fmt.Errorf("event stream %s not found in project %s", streamID, projectID)
}

// SetEventStream updates an event stream.
func (c *OryClient) SetEventStream(ctx context.Context, projectID, streamID string, body ory.SetEventStreamBody) (*ory.EventStream, error) {
	if err := c.requireConsoleClient("updating event stream"); err != nil {
		return nil, err
	}
	stream, httpResp, err := c.consoleClient.EventsAPI.SetEventStream(ctx, projectID, streamID).SetEventStreamBody(body).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "updating event stream")
	}
	return stream, nil
}

// DeleteEventStream deletes an event stream.
func (c *OryClient) DeleteEventStream(ctx context.Context, projectID, streamID string) error {
	if err := c.requireConsoleClient("deleting event stream"); err != nil {
		return err
	}
	httpResp, err := c.consoleClient.EventsAPI.DeleteEventStream(ctx, projectID, streamID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return wrapAPIError(err, "deleting event stream")
}

// ListEventStreams lists all event streams for a project.
func (c *OryClient) ListEventStreams(ctx context.Context, projectID string) ([]ory.EventStream, error) {
	if err := c.requireConsoleClient("listing event streams"); err != nil {
		return nil, err
	}
	list, httpResp, err := c.consoleClient.EventsAPI.ListEventStreams(ctx, projectID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "listing event streams")
	}
	return list.GetEventStreams(), nil
}

// =============================================================================
// Trusted OAuth2 JWT Grant Issuer Operations (Project API)
// =============================================================================

// TrustOAuth2JwtGrantIssuer creates a new trust relationship for a JWT issuer.
func (c *OryClient) TrustOAuth2JwtGrantIssuer(ctx context.Context, body ory.TrustOAuth2JwtGrantIssuer) (*ory.TrustedOAuth2JwtGrantIssuer, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("trusting JWT grant issuer: %w", err)
	}
	issuer, httpResp, err := c.projectClient.OAuth2API.TrustOAuth2JwtGrantIssuer(ctx).TrustOAuth2JwtGrantIssuer(body).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "trusting JWT grant issuer")
	}
	return issuer, nil
}

// GetTrustedOAuth2JwtGrantIssuer retrieves a trusted JWT grant issuer by ID.
func (c *OryClient) GetTrustedOAuth2JwtGrantIssuer(ctx context.Context, id string) (*ory.TrustedOAuth2JwtGrantIssuer, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("getting trusted JWT grant issuer: %w", err)
	}
	issuer, httpResp, err := c.projectClient.OAuth2API.GetTrustedOAuth2JwtGrantIssuer(ctx, id).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "getting trusted JWT grant issuer")
	}
	return issuer, nil
}

// DeleteTrustedOAuth2JwtGrantIssuer deletes a trusted JWT grant issuer.
func (c *OryClient) DeleteTrustedOAuth2JwtGrantIssuer(ctx context.Context, id string) error {
	if err := c.ensureProjectClient(); err != nil {
		return fmt.Errorf("deleting trusted JWT grant issuer: %w", err)
	}
	httpResp, err := c.projectClient.OAuth2API.DeleteTrustedOAuth2JwtGrantIssuer(ctx, id).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return wrapAPIError(err, "deleting trusted JWT grant issuer")
}

// ListTrustedOAuth2JwtGrantIssuers lists all trusted JWT grant issuers.
func (c *OryClient) ListTrustedOAuth2JwtGrantIssuers(ctx context.Context) ([]ory.TrustedOAuth2JwtGrantIssuer, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("listing trusted JWT grant issuers: %w", err)
	}
	issuers, httpResp, err := c.projectClient.OAuth2API.ListTrustedOAuth2JwtGrantIssuers(ctx).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "listing trusted JWT grant issuers")
	}
	return issuers, nil
}

// =============================================================================
// OIDC Dynamic Client Registration (Project API)
// =============================================================================

// CreateOIDCDynamicClient registers a new dynamic OAuth2 client via RFC 7591.
func (c *OryClient) CreateOIDCDynamicClient(ctx context.Context, oauthClient ory.OAuth2Client) (*ory.OAuth2Client, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("creating OIDC dynamic client: %w", err)
	}
	result, httpResp, err := c.projectClient.OidcAPI.CreateOidcDynamicClient(ctx).OAuth2Client(oauthClient).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "creating OIDC dynamic client")
	}
	return result, nil
}

// GetOIDCDynamicClient retrieves a dynamic client by ID.
// Uses the admin OAuth2 API (/admin/clients/{id}) instead of the RFC 7592 endpoint
// (/oauth2/register/{id}) because the RFC 7592 endpoint requires a registration_access_token
// which is only available at creation time. The admin API uses the project API key.
func (c *OryClient) GetOIDCDynamicClient(ctx context.Context, clientID string) (*ory.OAuth2Client, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("getting OIDC dynamic client: %w", err)
	}
	result, httpResp, err := c.projectClient.OAuth2API.GetOAuth2Client(ctx, clientID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "getting OIDC dynamic client")
	}
	return result, nil
}

// UpdateOIDCDynamicClient updates a dynamic client.
// Uses the admin OAuth2 API instead of RFC 7592 (see GetOIDCDynamicClient comment).
func (c *OryClient) UpdateOIDCDynamicClient(ctx context.Context, clientID string, oauthClient ory.OAuth2Client) (*ory.OAuth2Client, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("updating OIDC dynamic client: %w", err)
	}
	result, httpResp, err := c.projectClient.OAuth2API.SetOAuth2Client(ctx, clientID).OAuth2Client(oauthClient).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "updating OIDC dynamic client")
	}
	return result, nil
}

// DeleteOIDCDynamicClient deletes a dynamic client.
// Uses the admin OAuth2 API instead of RFC 7592 (see GetOIDCDynamicClient comment).
func (c *OryClient) DeleteOIDCDynamicClient(ctx context.Context, clientID string) error {
	if err := c.ensureProjectClient(); err != nil {
		return fmt.Errorf("deleting OIDC dynamic client: %w", err)
	}
	httpResp, err := c.projectClient.OAuth2API.DeleteOAuth2Client(ctx, clientID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	return wrapAPIError(err, "deleting OIDC dynamic client")
}

// =============================================================================
// List Operations for Data Sources
// =============================================================================

// ListOAuth2Clients lists all OAuth2 clients.
func (c *OryClient) ListOAuth2Clients(ctx context.Context) ([]ory.OAuth2Client, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("listing OAuth2 clients: %w", err)
	}
	clients, httpResp, err := c.projectClient.OAuth2API.ListOAuth2Clients(ctx).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "listing OAuth2 clients")
	}
	return clients, nil
}

// ListOrganizations lists all organizations in a project.
func (c *OryClient) ListOrganizations(ctx context.Context, projectID string) ([]ory.Organization, error) {
	if err := c.requireConsoleClient("listing organizations"); err != nil {
		return nil, err
	}
	resp, httpResp, err := c.consoleClient.ProjectAPI.ListOrganizations(ctx, projectID).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "listing organizations")
	}
	return resp.Organizations, nil
}

// ListIdentitySchemas lists all identity schemas for a project, paginating
// through all pages using the Link header page_token cursor.
func (c *OryClient) ListIdentitySchemas(ctx context.Context) ([]ory.IdentitySchemaContainer, error) {
	if err := c.ensureProjectClient(); err != nil {
		return nil, fmt.Errorf("listing identity schemas: %w", err)
	}

	const pageSize = int64(250)
	var all []ory.IdentitySchemaContainer
	var pageToken *string

	for {
		req := c.projectClient.IdentityAPI.ListIdentitySchemas(ctx).PageSize(pageSize)
		if pageToken != nil {
			req = req.PageToken(*pageToken)
		}
		page, httpResp, err := req.Execute()
		if httpResp != nil {
			_ = httpResp.Body.Close()
		}
		if err != nil {
			return nil, wrapAPIError(err, "listing identity schemas")
		}
		all = append(all, page...)
		// Primary termination signal: absence of a "next" page_token in the
		// Link header. This is authoritative regardless of page size, so we
		// check it first. Using only len(page) < pageSize would stop early
		// if the API returns a partial page while still providing a cursor.
		next := parseLinkNextPageToken(httpResp)
		if next == "" {
			break
		}
		// Safety guard: if the server somehow returns an empty page with a
		// next cursor, stop to avoid an infinite loop.
		if len(page) == 0 {
			break
		}
		pageToken = &next
	}
	return all, nil
}

// parseLinkNextPageToken extracts the page_token query parameter from the
// "next" relation in an HTTP Link header. Returns "" if not present.
func parseLinkNextPageToken(resp *http.Response) string {
	if resp == nil {
		return ""
	}
	for _, link := range resp.Header.Values("Link") {
		for _, part := range strings.Split(link, ",") {
			part = strings.TrimSpace(part)
			// Format: <URL>; rel="next"
			semi := strings.Index(part, ";")
			if semi < 0 {
				continue
			}
			rawURL := strings.Trim(strings.TrimSpace(part[:semi]), "<>")
			rel := strings.TrimSpace(part[semi+1:])
			if !strings.Contains(rel, `"next"`) {
				continue
			}
			u, err := url.Parse(rawURL)
			if err != nil {
				continue
			}
			if tok := u.Query().Get("page_token"); tok != "" {
				return tok
			}
		}
	}
	return ""
}

// HasProjectClient reports whether the project API client is configured.
func (c *OryClient) HasProjectClient() bool {
	return c.config.ProjectSlug != "" && c.config.ProjectAPIKey != ""
}

// HasConsoleClient reports whether the console API client is configured.
func (c *OryClient) HasConsoleClient() bool {
	return c.consoleClient != nil
}

// ListIdentitySchemasViaProject extracts identity schemas from the project
// config using the console API (workspace key). This does not require project
// API credentials and can be used during project bootstrap.
func (c *OryClient) ListIdentitySchemasViaProject(ctx context.Context, projectID string) ([]ory.IdentitySchemaContainer, error) {
	if c.consoleClient == nil {
		return nil, fmt.Errorf("console API client not configured: set workspace_api_key to use project_id lookups")
	}
	project, err := c.GetProject(ctx, projectID)
	if err != nil {
		return nil, fmt.Errorf("getting project for schema lookup: %w", err)
	}
	return extractSchemasFromProjectConfig(ctx, project)
}

// extractSchemasFromProjectConfig reads the identity schemas array from the
// project's kratos config and converts each entry into an
// IdentitySchemaContainer. For base64-encoded schemas the content is decoded
// inline; for HTTPS URLs the content is fetched over HTTPS; preset schemas
// are returned with an empty schema body.
func extractSchemasFromProjectConfig(ctx context.Context, project *ory.Project) ([]ory.IdentitySchemaContainer, error) {
	if project.Services.Identity == nil {
		return nil, nil
	}
	configMap := project.Services.Identity.Config
	if configMap == nil {
		return nil, nil
	}
	identity, _ := configMap["identity"].(map[string]interface{})
	rawSchemas, _ := identity["schemas"].([]interface{})

	// First pass: decode base64/preset schemas synchronously and collect
	// HTTPS schemas that need network fetching.
	type httpsEntry struct {
		index int
		id    string
		url   string
	}
	result := make([]ory.IdentitySchemaContainer, 0, len(rawSchemas))
	var httpsFetches []httpsEntry

	for _, raw := range rawSchemas {
		s, ok := raw.(map[string]interface{})
		if !ok {
			continue
		}
		id, _ := s["id"].(string)
		rawURL, _ := s["url"].(string)

		container := ory.IdentitySchemaContainer{Id: id}

		switch {
		case strings.HasPrefix(rawURL, "base64://"):
			decoded, err := base64.StdEncoding.DecodeString(strings.TrimPrefix(rawURL, "base64://"))
			if err != nil {
				return nil, fmt.Errorf("decoding base64 schema %q: %w", id, err)
			}
			var schemaObj map[string]interface{}
			if err := json.Unmarshal(decoded, &schemaObj); err != nil {
				return nil, fmt.Errorf("parsing JSON for schema %q: %w", id, err)
			}
			container.Schema = schemaObj

		case strings.HasPrefix(rawURL, schemeHTTPS+"://"):
			// Mark for parallel fetching below.
			httpsFetches = append(httpsFetches, httpsEntry{index: len(result), id: id, url: rawURL})

		default:
			// Preset or unrecognized URL schemes: return an empty object so
			// json.Marshal produces "{}" instead of "null".
			container.Schema = map[string]interface{}{}
		}

		result = append(result, container)
	}

	// Second pass: fetch HTTPS schemas in parallel (bounded to avoid
	// excessive concurrency). Projects typically have 1-3 schemas.
	if len(httpsFetches) > 0 {
		type fetchResult struct {
			schema map[string]interface{}
			err    error
		}
		results := make([]fetchResult, len(httpsFetches))
		var wg sync.WaitGroup
		// Limit concurrency to 5 to avoid excessive socket usage.
		sem := make(chan struct{}, 5)

		for i, entry := range httpsFetches {
			wg.Add(1)
			go func(i int, entry httpsEntry) {
				defer wg.Done()
				sem <- struct{}{}
				defer func() { <-sem }()
				schemaObj, err := fetchSchemaFromURL(ctx, entry.url)
				results[i] = fetchResult{schema: schemaObj, err: err}
			}(i, entry)
		}
		wg.Wait()

		for i, entry := range httpsFetches {
			if results[i].err != nil {
				return nil, fmt.Errorf("fetching schema %q from URL: %w", entry.id, results[i].err)
			}
			result[entry.index].Schema = results[i].schema
		}
	}

	return result, nil
}

// hostChecker is the function used to check whether a host is private.
// It accepts a context for DNS resolution and is a variable so tests can
// override it. Returns (isPrivate, error) — error indicates DNS failure.
var hostChecker = isPrivateHost

// schemaFetchClient is a shared HTTP client for fetching schema content from
// trusted URLs returned by the Ory API. It is thread-safe and reuses
// connections. It uses req.Context() in CheckRedirect so per-request
// cancellation is respected without creating a new client per call.
// It is a variable so tests can override it.
var schemaFetchClient = &http.Client{
	Timeout: 10 * time.Second,
	Transport: &http.Transport{
		// Validate the actual resolved IP at connection time to prevent
		// DNS rebinding: a hostname may resolve to a public IP during the
		// pre-flight check but to a private IP when the connection is made.
		DialContext: safeDialContext,
	},
	CheckRedirect: func(req *http.Request, via []*http.Request) error {
		if len(via) >= 2 {
			return fmt.Errorf("too many redirects fetching schema")
		}
		if req.URL.Scheme != "https" {
			return fmt.Errorf("refusing non-HTTPS redirect for schema URL")
		}
		// Validate the redirect target to prevent SSRF bypass via a
		// public HTTPS URL that redirects to a private/loopback host.
		// Use req.Context() so the check respects per-request cancellation.
		redirectIsPrivate, checkErr := hostChecker(req.Context(), req.URL.Hostname())
		if checkErr != nil {
			return checkErr
		}
		if redirectIsPrivate {
			return fmt.Errorf("refusing redirect to private/loopback host %q", req.URL.Hostname())
		}
		return nil
	},
}

// safeDialContext wraps the default dialer and validates that the resolved IP
// address is not private/loopback/link-local before establishing the connection.
// This prevents DNS rebinding attacks where a hostname resolves to a public IP
// during pre-flight checks but to a private IP at connection time.
func safeDialContext(ctx context.Context, network, addr string) (net.Conn, error) {
	host, port, err := net.SplitHostPort(addr)
	if err != nil {
		return nil, fmt.Errorf("invalid address %q: %w", addr, err)
	}

	// Resolve the hostname to IP addresses.
	resolver := &net.Resolver{}
	ips, err := resolver.LookupHost(ctx, host)
	if err != nil {
		return nil, fmt.Errorf("resolving host %q: %w", host, err)
	}

	// Filter out private/loopback IPs — only connect to public addresses.
	var dialer net.Dialer
	for _, ip := range ips {
		parsed, parseErr := netip.ParseAddr(ip)
		if parseErr != nil {
			continue
		}
		if isPrivateAddr(parsed) {
			continue
		}
		// Try connecting to this public IP.
		conn, dialErr := dialer.DialContext(ctx, network, net.JoinHostPort(ip, port))
		if dialErr == nil {
			return conn, nil
		}
	}
	return nil, fmt.Errorf("all resolved addresses for %q are private or unreachable", host)
}

// fetchSchemaFromURL retrieves a JSON schema from an HTTPS URL. The URL must
// use the https scheme (enforced by the caller's switch statement) and must not
// resolve to a private/loopback address.
func fetchSchemaFromURL(ctx context.Context, schemaURL string) (map[string]interface{}, error) {
	parsed, err := url.Parse(schemaURL)
	if err != nil {
		return nil, fmt.Errorf("parsing schema URL %q: %w", schemaURL, err)
	}
	if parsed.Scheme != "https" {
		return nil, fmt.Errorf("refusing non-HTTPS schema URL %q", schemaURL)
	}
	host := parsed.Hostname()
	isPrivate, err := hostChecker(ctx, host)
	if err != nil {
		return nil, err
	}
	if isPrivate {
		return nil, fmt.Errorf("refusing schema URL with private/loopback host %q", host)
	}

	req, err := http.NewRequestWithContext(ctx, http.MethodGet, schemaURL, nil)
	if err != nil {
		return nil, fmt.Errorf("creating request for schema %q: %w", schemaURL, err)
	}

	resp, err := schemaFetchClient.Do(req)
	if err != nil {
		return nil, fmt.Errorf("fetching schema from %q: %w", schemaURL, err)
	}
	defer resp.Body.Close()

	if resp.StatusCode != http.StatusOK {
		return nil, fmt.Errorf("fetching schema from %q: HTTP %d", schemaURL, resp.StatusCode)
	}

	body, err := io.ReadAll(io.LimitReader(resp.Body, 1<<20)) // 1MB limit
	if err != nil {
		return nil, fmt.Errorf("reading schema from %q: %w", schemaURL, err)
	}

	var schemaObj map[string]interface{}
	if err := json.Unmarshal(body, &schemaObj); err != nil {
		return nil, fmt.Errorf("parsing schema JSON from %q: %w", schemaURL, err)
	}
	return schemaObj, nil
}

// isPrivateHost checks whether a host is a loopback, private, or link-local
// address. For DNS names it resolves the host and checks all resulting IPs.
// Returns (true, nil) for private hosts, (false, nil) for public hosts, and
// (false, error) when DNS resolution fails — callers can then surface an
// actionable "DNS resolution failed" error instead of a misleading
// "private/loopback host" message. The actual DNS rebinding protection is
// enforced by safeDialContext which validates the resolved IP at connection time.
func isPrivateHost(ctx context.Context, host string) (bool, error) {
	if host == "localhost" {
		return true, nil
	}

	// Try parsing as an IP literal first.
	if addr, err := netip.ParseAddr(host); err == nil {
		return isPrivateAddr(addr), nil
	}

	// It's a DNS name — resolve and check all A/AAAA records.
	resolver := &net.Resolver{}
	addrs, err := resolver.LookupHost(ctx, host)
	if err != nil {
		return false, fmt.Errorf("resolving host %q: %w", host, err)
	}
	for _, a := range addrs {
		if addr, err := netip.ParseAddr(a); err == nil && isPrivateAddr(addr) {
			return true, nil
		}
	}
	return false, nil
}

// isPrivateAddr checks whether an IP address is loopback, private, link-local,
// or unspecified using proper CIDR range checks.
func isPrivateAddr(addr netip.Addr) bool {
	return addr.IsLoopback() || addr.IsPrivate() || addr.IsLinkLocalUnicast() ||
		addr.IsLinkLocalMulticast() || addr.IsUnspecified()
}

// Custom Domain (CNAME) operations
// The Ory SDK does not generate API methods for custom domains,
// so we use raw HTTP calls against the console API.

// consoleHTTPDo executes a raw HTTP request against the console API.
func (c *OryClient) consoleHTTPDo(ctx context.Context, method, path string, body io.Reader) (*http.Response, error) {
	if c.config.WorkspaceAPIKey == "" || c.config.ConsoleAPIURL == "" {
		return nil, fmt.Errorf("workspace_api_key and console_api_url must be configured for custom domain operations")
	}
	baseURL, err := url.Parse(c.config.ConsoleAPIURL)
	if err != nil {
		return nil, fmt.Errorf("invalid console_api_url %q: %w", c.config.ConsoleAPIURL, err)
	}
	requestURL := baseURL.JoinPath(path)
	req, err := http.NewRequestWithContext(ctx, method, requestURL.String(), body)
	if err != nil {
		return nil, err
	}
	req.Header.Set("Authorization", "Bearer "+c.config.WorkspaceAPIKey)
	if body != nil {
		req.Header.Set("Content-Type", "application/json")
	}
	httpClient := http.DefaultClient
	if c.consoleClient != nil {
		if cfg := c.consoleClient.GetConfig(); cfg.HTTPClient != nil {
			httpClient = cfg.HTTPClient
		}
	}
	return httpClient.Do(req) // #nosec G704 -- URL is constructed from trusted provider configuration
}

// ListCustomDomains lists all custom domains for a project.
func (c *OryClient) ListCustomDomains(ctx context.Context, projectID string) ([]ory.CustomDomain, error) {
	httpResp, err := c.consoleHTTPDo(ctx, http.MethodGet, "/projects/"+projectID+"/cname", nil)
	if err != nil {
		return nil, wrapAPIError(err, "listing custom domains")
	}
	defer httpResp.Body.Close()

	if httpResp.StatusCode != http.StatusOK {
		respBody, _ := io.ReadAll(httpResp.Body)
		return nil, wrapAPIError(
			fmt.Errorf("unexpected status %d: %s", httpResp.StatusCode, string(respBody)),
			"listing custom domains",
		)
	}

	var domains []ory.CustomDomain
	if err := json.NewDecoder(httpResp.Body).Decode(&domains); err != nil {
		return nil, fmt.Errorf("listing custom domains: decoding response: %w", err)
	}
	return domains, nil
}

// GetCustomDomain gets a custom domain by ID from the list.
func (c *OryClient) GetCustomDomain(ctx context.Context, projectID, domainID string) (*ory.CustomDomain, error) {
	domains, err := c.ListCustomDomains(ctx, projectID)
	if err != nil {
		return nil, err
	}
	for i := range domains {
		if domains[i].GetId() == domainID {
			return &domains[i], nil
		}
	}
	return nil, fmt.Errorf("%w: %s in project %s", ErrCustomDomainNotFound, domainID, projectID)
}

// CreateCustomDomain creates a new custom domain for a project.
func (c *OryClient) CreateCustomDomain(ctx context.Context, projectID string, body ory.CreateCustomDomainBody) (*ory.CustomDomain, error) {
	bodyBytes, err := json.Marshal(body)
	if err != nil {
		return nil, fmt.Errorf("creating custom domain: marshaling body: %w", err)
	}

	httpResp, err := c.consoleHTTPDo(ctx, http.MethodPost, "/projects/"+projectID+"/cname", bytes.NewReader(bodyBytes))
	if err != nil {
		return nil, wrapAPIError(err, "creating custom domain")
	}
	defer httpResp.Body.Close()

	if httpResp.StatusCode != http.StatusCreated {
		respBody, _ := io.ReadAll(httpResp.Body)
		return nil, wrapAPIError(
			fmt.Errorf("unexpected status %d: %s", httpResp.StatusCode, string(respBody)),
			"creating custom domain",
		)
	}

	var domain ory.CustomDomain
	if err := json.NewDecoder(httpResp.Body).Decode(&domain); err != nil {
		return nil, fmt.Errorf("creating custom domain: decoding response: %w", err)
	}
	return &domain, nil
}

// UpdateCustomDomain updates an existing custom domain.
func (c *OryClient) UpdateCustomDomain(ctx context.Context, projectID, domainID string, body ory.SetCustomDomainBody) (*ory.CustomDomain, error) {
	bodyBytes, err := json.Marshal(body)
	if err != nil {
		return nil, fmt.Errorf("updating custom domain: marshaling body: %w", err)
	}

	httpResp, err := c.consoleHTTPDo(ctx, http.MethodPut, "/projects/"+projectID+"/cname/"+domainID, bytes.NewReader(bodyBytes))
	if err != nil {
		return nil, wrapAPIError(err, "updating custom domain")
	}
	defer httpResp.Body.Close()

	if httpResp.StatusCode != http.StatusOK {
		respBody, _ := io.ReadAll(httpResp.Body)
		return nil, wrapAPIError(
			fmt.Errorf("unexpected status %d: %s", httpResp.StatusCode, string(respBody)),
			"updating custom domain",
		)
	}

	var domain ory.CustomDomain
	if err := json.NewDecoder(httpResp.Body).Decode(&domain); err != nil {
		return nil, fmt.Errorf("updating custom domain: decoding response: %w", err)
	}
	return &domain, nil
}

// DeleteCustomDomain deletes a custom domain.
func (c *OryClient) DeleteCustomDomain(ctx context.Context, projectID, domainID string) error {
	httpResp, err := c.consoleHTTPDo(ctx, http.MethodDelete, "/projects/"+projectID+"/cname/"+domainID, nil)
	if err != nil {
		return wrapAPIError(err, "deleting custom domain")
	}
	defer httpResp.Body.Close()

	if httpResp.StatusCode != http.StatusNoContent {
		respBody, _ := io.ReadAll(httpResp.Body)
		return wrapAPIError(
			fmt.Errorf("unexpected status %d: %s", httpResp.StatusCode, string(respBody)),
			"deleting custom domain",
		)
	}
	return nil
}

// ListWorkspaces lists all workspaces.
func (c *OryClient) ListWorkspaces(ctx context.Context) ([]ory.Workspace, error) {
	if err := c.requireConsoleClient("listing workspaces"); err != nil {
		return nil, err
	}
	resp, httpResp, err := c.consoleClient.WorkspaceAPI.ListWorkspaces(ctx).Execute()
	if httpResp != nil {
		_ = httpResp.Body.Close()
	}
	if err != nil {
		return nil, wrapAPIError(err, "listing workspaces")
	}
	return resp.Workspaces, nil
}