#!/usr/bin/env bash
set -euo pipefail

BURROW_SECRET_TMPFILES=()

burrow_secret_repo_path() {
  local repo_root="$1"
  local secret_path="$2"

  case "${secret_path}" in
    "${repo_root}"/*)
      printf '%s\n' "${secret_path#${repo_root}/}"
      ;;
    *)
      printf '%s\n' "${secret_path}"
      ;;
  esac
}

burrow_agenix_identity_path() {
  local repo_root="$1"
  local candidate

  for candidate in \
    "${BURROW_AGE_IDENTITY:-}" \
    "${BURROW_FORGE_SSH_KEY:-}" \
    "${repo_root}/intake/agent_at_burrow_net_ed25519" \
    "${HOME}/.ssh/agent_at_burrow_net_ed25519" \
    "${HOME}/.ssh/id_ed25519"
  do
    if [[ -n "${candidate}" && -f "${candidate}" ]]; then
      printf '%s\n' "${candidate}"
      return 0
    fi
  done
}

burrow_cleanup_secret_tmpfiles() {
  local path
  for path in "${BURROW_SECRET_TMPFILES[@]:-}"; do
    [[ -n "${path}" ]] && rm -f "${path}" >/dev/null 2>&1 || true
  done
  BURROW_SECRET_TMPFILES=()
}

burrow_decrypt_age_secret_to_temp() {
  local repo_root="$1"
  local secret_path="$2"
  local agenix_path
  local identity_path
  local tmp_file

  if [[ ! -f "${secret_path}" ]]; then
    echo "age secret not found: ${secret_path}" >&2
    return 1
  fi
  agenix_path="$(burrow_secret_repo_path "${repo_root}" "${secret_path}")"
  identity_path="$(burrow_agenix_identity_path "${repo_root}")"

  tmp_file="$(mktemp "${TMPDIR:-/tmp}/burrow-secret.XXXXXX")"
  if [[ -n "${identity_path}" ]]; then
    nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -d "${agenix_path}" -i "${identity_path}" > "${tmp_file}"
  else
    nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -d "${agenix_path}" > "${tmp_file}"
  fi
  chmod 600 "${tmp_file}"
  BURROW_SECRET_TMPFILES+=("${tmp_file}")
  printf '%s\n' "${tmp_file}"
}

burrow_resolve_secret_file() {
  local repo_root="$1"
  local explicit_path="$2"
  local intake_path="$3"
  local age_path="$4"
  local fallback_path="${5:-}"

  if [[ -n "${explicit_path}" ]]; then
    if [[ ! -s "${explicit_path}" ]]; then
      echo "required file missing or empty: ${explicit_path}" >&2
      return 1
    fi
    printf '%s\n' "${explicit_path}"
    return 0
  fi

  if [[ -n "${age_path}" && -f "${age_path}" ]]; then
    burrow_decrypt_age_secret_to_temp "${repo_root}" "${age_path}"
    return 0
  fi

  if [[ -n "${intake_path}" && -s "${intake_path}" ]]; then
    printf '%s\n' "${intake_path}"
    return 0
  fi

  if [[ -n "${fallback_path}" && -s "${fallback_path}" ]]; then
    printf '%s\n' "${fallback_path}"
    return 0
  fi

  return 1
}

burrow_encrypt_secret_from_file() {
  local repo_root="$1"
  local secret_path="$2"
  local source_path="$3"
  local agenix_path
  local backup_file=""

  if [[ ! -s "${source_path}" ]]; then
    echo "secret source missing or empty: ${source_path}" >&2
    return 1
  fi
  agenix_path="$(burrow_secret_repo_path "${repo_root}" "${secret_path}")"
  if [[ -f "${secret_path}" ]]; then
    backup_file="$(mktemp "${TMPDIR:-/tmp}/burrow-secret-backup.XXXXXX")"
    cp "${secret_path}" "${backup_file}"
  fi
  rm -f "${secret_path}"

  if ! nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -e "${agenix_path}" < "${source_path}"; then
    if [[ -n "${backup_file}" && -f "${backup_file}" ]]; then
      mv "${backup_file}" "${secret_path}"
    fi
    return 1
  fi

  [[ -n "${backup_file}" ]] && rm -f "${backup_file}"
}