<?php

require_once __DIR__ . '/../includes/api_bootstrap.php';

if ($_SERVER['REQUEST_METHOD'] !== 'POST') {
    sendJson(['success' => false, 'error' => 'Method not allowed'], 405);
}

$people = normalizePeopleList(readJsonFile('people.json'));
assertHoHCanManagePeople($people);

$body = readJsonBody();
$targetId = isset($body['targetPersonId']) ? trim((string) $body['targetPersonId']) : '';
$newPin = isset($body['newPin']) ? (string) $body['newPin'] : '';

if ($targetId === '') {
    sendJson(['success' => false, 'error' => 'targetPersonId is required'], 400);
}
if (strlen($newPin) < 4) {
    sendJson(['success' => false, 'error' => 'newPin must be at least 4 characters'], 400);
}

$target = findPersonById($people, $targetId);
if ($target === null) {
    sendJson(['success' => false, 'error' => 'Person not found'], 404);
}
if (($target['role'] ?? '') !== ROLE_HEAD) {
    sendJson(['success' => false, 'error' => 'PIN applies only to Head of Household profiles'], 400);
}

$updated = false;
foreach ($people as $i => $p) {
    if (($p['id'] ?? '') === $targetId) {
        $people[$i]['pin_hash'] = password_hash($newPin, PASSWORD_DEFAULT);
        $updated = true;
        break;
    }
}

if (!$updated) {
    sendJson(['success' => false, 'error' => 'Update failed'], 500);
}

if (!writeJsonFile('people.json', $people)) {
    sendJson(['success' => false, 'error' => 'Failed to save people'], 500);
}

sendJson(['success' => true]);