#!/usr/bin/env bash
set -euo pipefail

BURROW_SECRET_TMPFILES=()

burrow_cleanup_secret_tmpfiles() {
  local path
  for path in "${BURROW_SECRET_TMPFILES[@]:-}"; do
    [[ -n "${path}" ]] && rm -f "${path}" >/dev/null 2>&1 || true
  done
  BURROW_SECRET_TMPFILES=()
}

burrow_decrypt_age_secret_to_temp() {
  local repo_root="$1"
  local secret_path="$2"
  local tmp_file

  if [[ ! -f "${secret_path}" ]]; then
    echo "age secret not found: ${secret_path}" >&2
    return 1
  fi

  tmp_file="$(mktemp "${TMPDIR:-/tmp}/burrow-secret.XXXXXX")"
  nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -d "${secret_path}" > "${tmp_file}"
  chmod 600 "${tmp_file}"
  BURROW_SECRET_TMPFILES+=("${tmp_file}")
  printf '%s\n' "${tmp_file}"
}

burrow_resolve_secret_file() {
  local repo_root="$1"
  local explicit_path="$2"
  local intake_path="$3"
  local age_path="$4"
  local fallback_path="${5:-}"

  if [[ -n "${explicit_path}" ]]; then
    if [[ ! -s "${explicit_path}" ]]; then
      echo "required file missing or empty: ${explicit_path}" >&2
      return 1
    fi
    printf '%s\n' "${explicit_path}"
    return 0
  fi

  if [[ -n "${intake_path}" && -s "${intake_path}" ]]; then
    printf '%s\n' "${intake_path}"
    return 0
  fi

  if [[ -n "${age_path}" && -f "${age_path}" ]]; then
    burrow_decrypt_age_secret_to_temp "${repo_root}" "${age_path}"
    return 0
  fi

  if [[ -n "${fallback_path}" && -s "${fallback_path}" ]]; then
    printf '%s\n' "${fallback_path}"
    return 0
  fi

  return 1
}

burrow_encrypt_secret_from_file() {
  local repo_root="$1"
  local secret_path="$2"
  local source_path="$3"

  if [[ ! -s "${source_path}" ]]; then
    echo "secret source missing or empty: ${source_path}" >&2
    return 1
  fi

  SECRET_SOURCE_FILE="${source_path}" \
    EDITOR="${repo_root}/Scripts/agenix-load-file.sh" \
    nix --extra-experimental-features "nix-command flakes" run "${repo_root}#agenix" -- -e "${secret_path}"
}