app/api/admin/customers.php

<?php

/**
 * BOHA Automation - Customers API
 *
 * GET    /api/admin/customers.php              - List customers
 * GET    /api/admin/customers.php?id=X         - Get single customer
 * GET    /api/admin/customers.php?action=search&q=  - Search customers
 * POST   /api/admin/customers.php              - Create customer
 * PUT    /api/admin/customers.php?id=X         - Update customer
 * DELETE /api/admin/customers.php?id=X         - Delete customer
 */

declare(strict_types=1);

require_once dirname(__DIR__) . '/config.php';
require_once dirname(__DIR__) . '/includes/JWTAuth.php';
require_once dirname(__DIR__) . '/includes/AuditLog.php';
require_once __DIR__ . '/handlers/customers-handlers.php';

setCorsHeaders();
setSecurityHeaders();
setNoCacheHeaders();
header('Content-Type: application/json; charset=utf-8');

$authData = JWTAuth::requireAuth();
AuditLog::setUser($authData['user_id'], $authData['user']['username'] ?? 'unknown');

$method = $_SERVER['REQUEST_METHOD'];
$customerId = isset($_GET['id']) ? (int) $_GET['id'] : null;
$action = $_GET['action'] ?? '';

try {
    $pdo = db();

    switch ($method) {
        case 'GET':
            requirePermission($authData, 'offers.view');
            if ($action === 'search') {
                handleSearch($pdo);
            } elseif ($customerId) {
                handleGetOne($pdo, $customerId);
            } else {
                handleGetAll($pdo);
            }
            break;

        case 'POST':
            requirePermission($authData, 'offers.create');
            handleCreateCustomer($pdo);
            break;

        case 'PUT':
            requirePermission($authData, 'offers.edit');
            if (!$customerId) {
                errorResponse('ID zákazníka je povinné');
            }
            handleUpdateCustomer($pdo, $customerId);
            break;

        case 'DELETE':
            requirePermission($authData, 'offers.delete');
            if (!$customerId) {
                errorResponse('ID zákazníka je povinné');
            }
            handleDeleteCustomer($pdo, $customerId);
            break;

        default:
            errorResponse('Metoda není povolena', 405);
    }
} catch (PDOException $e) {
    error_log('Customers API error: ' . $e->getMessage());
    if (DEBUG_MODE) {
        errorResponse('Chyba databáze: ' . $e->getMessage(), 500);
    } else {
        errorResponse('Chyba databáze', 500);
    }
}