# attack_classifier.py

def classify_attack(
    final_score,
    header_findings,
    body_findings,
    url_findings,
    attachment_findings,
    auth_results,
):
    """
    Returns:
        attack_type (str)
        confidence (str)
        reasoning (list[str])
    """

    reasoning = []
    findings_text = " ".join(
        header_findings + body_findings + url_findings + attachment_findings
    ).lower()

    spf_fail = auth_results.get("spf") == "fail"
    dkim_fail = auth_results.get("dkim") == "fail"
    dmarc_fail = auth_results.get("dmarc") == "fail"

    has_urls = len(url_findings) > 0
    has_attachments = len(attachment_findings) > 0

    # =========================
    # 1️⃣ BUSINESS EMAIL COMPROMISE (BEC)
    # =========================
    if (
        ("reply-to" in findings_text or "payment" in findings_text or "invoice" in findings_text)
        and not has_urls
        and not has_attachments
        and (spf_fail or dkim_fail)
    ):
        reasoning.append("No URLs or attachments present")
        reasoning.append("Email requests action (payment / reply)")
        reasoning.append("Email authentication failure detected")
        return "Business Email Compromise (BEC)", "High", reasoning

    # =========================
    # 2️⃣ MALWARE DELIVERY
    # =========================
    if has_attachments and (
        "macro" in findings_text
        or "html attachment" in findings_text
        or "executable" in findings_text
    ):
        reasoning.append("Malicious attachment detected")
        if has_urls:
            reasoning.append("URL-based delivery combined with attachment")
        return "Malware Delivery", "High", reasoning

    # =========================
    # 3️⃣ PHISHING
    # =========================
    if has_urls and (
        "phishing" in findings_text
        or "credential" in findings_text
        or "login" in findings_text
        or "verify" in findings_text
    ):
        reasoning.append("Phishing indicators in body content")
        reasoning.append("Malicious or suspicious URLs detected")
        if dmarc_fail:
            reasoning.append("DMARC failure increases confidence")
        return "Phishing", "High", reasoning

    # =========================
    # 4️⃣ BRAND SPOOFING
    # =========================
    if "brand spoof" in findings_text or "look-alike domain" in findings_text:
        reasoning.append("Look-alike domain or brand impersonation detected")
        if dmarc_fail:
            reasoning.append("Brand spoofing combined with DMARC failure")
        return "Brand Spoofing", "Medium", reasoning

    # =========================
    # 5️⃣ SPAM / MARKETING
    # =========================
    if (
        "unsubscribe" in findings_text
        or "promotion" in findings_text
        or "marketing" in findings_text
    ) and final_score < 40:
        reasoning.append("Marketing language detected")
        reasoning.append("Low overall risk score")
        return "Spam / Marketing", "Low", reasoning

    # =========================
    # 6️⃣ GENERIC SUSPICIOUS
    # =========================
    if final_score >= 70:
        reasoning.append("High overall risk score")
        return "Suspicious Email", "Medium", reasoning

    # =========================
    # 7️⃣ CLEAN / LEGITIMATE
    # =========================
    reasoning.append("No strong malicious indicators detected")
    return "Legitimate Email", "High", reasoning