// Package bootstrap implements first-run bootstrap.json ingestion (slice 8A, doc 03 §6,
// config-contract decision (c)). The host agent's provisioning back-half writes a stable
// bootstrap.json into a read-only config mount; on first run the controller seeds its own
// controller.yaml from it and comes up CONFIGURED, skipping the setup wizard. The agent emits
// the stable contract; the controller owns the translation — the two stay decoupled.
package bootstrap

import (
	"encoding/json"
	"fmt"
	"log"
	"os"
	"path/filepath"
	"strings"

	"gitea.dooplex.hu/admin/felhom-controller/internal/config"
	"gopkg.in/yaml.v3"
)

// DefaultMountPath is where the agent attaches the read-only config mount (spike S2). Override
// with FELHOM_BOOTSTRAP_PATH for tests / non-standard layouts.
const DefaultMountPath = "/etc/felhom-bootstrap/bootstrap.json"

// SchemaV1 is the stable contract version the agent emits and the controller ingests.
const SchemaV1 = "felhom.bootstrap/v1"

// Bootstrap is the stable agent→controller config contract (JSON). It carries exactly what the
// controller needs to come up configured + reach the agent's local API. It is deliberately a
// SEPARATE shape from controller.yaml (decision (c)): the agent never needs to know the
// controller's full config schema.
type Bootstrap struct {
	Schema   string            `json:"schema"`
	Customer BootstrapCustomer `json:"customer"`
	Hub      BootstrapHub      `json:"hub"`
	LocalAPI BootstrapLocalAPI `json:"local_api"`
}

type BootstrapCustomer struct {
	ID     string `json:"id"`
	Name   string `json:"name"`
	Domain string `json:"domain"`
	Email  string `json:"email"`
}

type BootstrapHub struct {
	URL    string `json:"url"`
	APIKey string `json:"api_key"`
	HostID string `json:"host_id"` // the agent's host id (reference; not load-bearing for the controller)
}

type BootstrapLocalAPI struct {
	Endpoint    string `json:"endpoint"`    // host bridge IP:port
	Fingerprint string `json:"fingerprint"` // agent leaf-cert SHA-256 (hex) to pin
	Token       string `json:"token"`       // per-guest bearer; SECRET
}

// Path returns the bootstrap mount path (env override → default).
func Path() string {
	if p := strings.TrimSpace(os.Getenv("FELHOM_BOOTSTRAP_PATH")); p != "" {
		return p
	}
	return DefaultMountPath
}

// MaybeIngest seeds controller.yaml from a bootstrap.json mount when the controller is NOT yet
// configured, and returns the config the caller should use.
//
// Contract:
//   - Idempotent: if cfg is already configured (customer.id set), the existing controller.yaml is
//     NEVER clobbered — returns cfg unchanged.
//   - Fail-safe: an absent or malformed bootstrap, or one missing the minimum identity, leaves cfg
//     unchanged (the caller proceeds to normal setup mode) — it logs and never crashes.
//   - On success: writes controller.yaml (0600, atomic), reloads it, and returns the reloaded cfg.
func MaybeIngest(configPath string, cfg *config.Config, logger *log.Logger) *config.Config {
	if cfg != nil && cfg.Customer.ID != "" {
		return cfg // already configured — do not clobber (idempotent)
	}
	bpath := Path()
	data, err := os.ReadFile(bpath)
	if err != nil {
		if !os.IsNotExist(err) {
			logger.Printf("[WARN] bootstrap: cannot read %s: %v — staying in setup", bpath, err)
		}
		return cfg // no bootstrap → normal setup
	}

	var b Bootstrap
	if err := json.Unmarshal(data, &b); err != nil {
		logger.Printf("[WARN] bootstrap: %s is not valid JSON: %v — staying in setup", bpath, err)
		return cfg
	}
	if b.Schema != "" && b.Schema != SchemaV1 {
		logger.Printf("[WARN] bootstrap: unsupported schema %q (want %q) — staying in setup", b.Schema, SchemaV1)
		return cfg
	}
	if b.Customer.ID == "" || b.Customer.Domain == "" {
		logger.Printf("[WARN] bootstrap: %s missing customer.id/domain — staying in setup", bpath)
		return cfg
	}

	seeded := configFromBootstrap(b)
	if err := writeYAML(configPath, seeded); err != nil {
		logger.Printf("[WARN] bootstrap: could not write %s: %v — staying in setup", configPath, err)
		return cfg
	}
	reloaded, err := config.LoadPermissive(configPath)
	if err != nil {
		logger.Printf("[WARN] bootstrap: wrote %s but reload failed: %v — staying in setup", configPath, err)
		return cfg
	}
	logger.Printf("[INFO] bootstrap: seeded %s from %s (customer=%s, local_api=%s) — coming up configured",
		configPath, bpath, b.Customer.ID, b.LocalAPI.Endpoint)
	return reloaded
}

// configFromBootstrap maps the stable contract onto a controller.yaml Config. Only the
// identity/hub/local-api fields are seeded; all other config keeps controller defaults (the
// customer configures the rest via the dashboard / hub manifest).
func configFromBootstrap(b Bootstrap) *config.Config {
	cfg := &config.Config{}
	cfg.Customer.ID = b.Customer.ID
	cfg.Customer.Name = b.Customer.Name
	cfg.Customer.Domain = b.Customer.Domain
	cfg.Customer.Email = b.Customer.Email
	if b.Hub.URL != "" {
		cfg.Hub.Enabled = b.Hub.APIKey != ""
		cfg.Hub.URL = b.Hub.URL
		cfg.Hub.APIKey = b.Hub.APIKey
	}
	cfg.LocalAPI.Endpoint = b.LocalAPI.Endpoint
	cfg.LocalAPI.Fingerprint = b.LocalAPI.Fingerprint
	cfg.LocalAPI.Token = b.LocalAPI.Token
	return cfg
}

// writeYAML marshals cfg to YAML and writes it atomically (tmp + rename), 0600 (it carries the
// local-api token + any hub key).
func writeYAML(path string, cfg *config.Config) error {
	out, err := yaml.Marshal(cfg)
	if err != nil {
		return fmt.Errorf("marshal: %w", err)
	}
	if err := os.MkdirAll(filepath.Dir(path), 0o755); err != nil {
		return fmt.Errorf("config dir: %w", err)
	}
	tmp := path + ".tmp"
	if err := os.WriteFile(tmp, out, 0o600); err != nil {
		return err
	}
	return os.Rename(tmp, path)
}