#!/usr/bin/env bash
# SPDX-License-Identifier: Apache-2.0
# SPDX-FileCopyrightText: 2026 Hushh

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROTOCOL_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
cd "$PROTOCOL_ROOT"

usage() {
  cat <<'EOF'
Usage:
  ./bin/consent-protocol <command>

Commands:
  dev
  lint
  format
  format-check
  fix
  typecheck
  test [pytest args...]   # default: whole tests/ tree
  test-ci
  security
  accuracy
  ci
  clean
EOF
}

python_bin() {
  if [ -x .venv/bin/python ]; then
    printf '%s\n' ".venv/bin/python"
    return 0
  fi
  if command -v uv >/dev/null 2>&1; then
    uv python find
    return 0
  fi
  if command -v python3 >/dev/null 2>&1; then
    command -v python3
    return 0
  fi
  command -v python
}

PYTHON_BIN="$(python_bin)"

run_test_env() {
  env \
    TESTING=true \
    APP_SIGNING_KEY="test_secret_key_for_ci_only_32chars_min" \
    VAULT_DATA_KEY="0000000000000000000000000000000000000000000000000000000000000000" \
    HUSHH_DEVELOPER_TOKEN="test_hushh_developer_token_for_ci" \
    PYTHONPATH=. \
    "$@"
}

COMMAND="${1:-}"
if [ -z "$COMMAND" ]; then
  usage
  exit 1
fi
shift || true

case "$COMMAND" in
  -h|--help|help)
    usage
    ;;
  dev)
    if command -v uv >/dev/null 2>&1; then
      exec uv run uvicorn server:app --reload --port 8000 "$@"
    fi
    exec "$PYTHON_BIN" -m uvicorn server:app --reload --port 8000 "$@"
    ;;
  lint)
    if command -v uv >/dev/null 2>&1; then
      exec uv run ruff check . "$@"
    fi
    exec "$PYTHON_BIN" -m ruff check . "$@"
    ;;
  format)
    if command -v uv >/dev/null 2>&1; then
      exec uv run ruff format . "$@"
    fi
    exec "$PYTHON_BIN" -m ruff format . "$@"
    ;;
  format-check)
    if command -v uv >/dev/null 2>&1; then
      exec uv run ruff format --check . "$@"
    fi
    exec "$PYTHON_BIN" -m ruff format --check . "$@"
    ;;
  fix)
    if command -v uv >/dev/null 2>&1; then
      uv run ruff format . "$@"
      exec uv run ruff check . --fix "$@"
    fi
    "$PYTHON_BIN" -m ruff format . "$@"
    exec "$PYTHON_BIN" -m ruff check . --fix "$@"
    ;;
  typecheck)
    if command -v uv >/dev/null 2>&1; then
      exec uv run mypy --config-file pyproject.toml --ignore-missing-imports "$@"
    fi
    exec "$PYTHON_BIN" -m mypy --config-file pyproject.toml --ignore-missing-imports "$@"
    ;;
  test)
    pytest_targets=()
    if [ "$#" -eq 0 ]; then
      pytest_targets=(tests/)
    else
      pytest_targets=("$@")
    fi
    if command -v uv >/dev/null 2>&1; then
      run_test_env uv run pytest -v --tb=short "${pytest_targets[@]}"
    else
      run_test_env "$PYTHON_BIN" -m pytest -v --tb=short "${pytest_targets[@]}"
    fi
    ;;
  test-ci)
    run_test_env bash scripts/run-test-ci.sh "$@"
    ;;
  security)
    if command -v uv >/dev/null 2>&1; then
      exec uv run bandit -r hushh_mcp/ api/ -c pyproject.toml -ll "$@"
    fi
    exec "$PYTHON_BIN" -m bandit -r hushh_mcp/ api/ -c pyproject.toml -ll "$@"
    ;;
  accuracy)
    if command -v uv >/dev/null 2>&1; then
      exec uv run python scripts/run_kai_accuracy_suite.py "$@"
    fi
    exec "$PYTHON_BIN" scripts/run_kai_accuracy_suite.py "$@"
    ;;
  ci)
    if command -v uv >/dev/null 2>&1; then
      uv sync --frozen --group dev
      bash scripts/sync_runtime_requirements.sh --check
    fi
    "$0" lint
    "$0" format-check
    "$0" typecheck
    "$0" test-ci
    "$0" security
    echo ""
    echo "All CI checks passed."
    ;;
  clean)
    find . -type d -name __pycache__ -exec rm -rf {} + 2>/dev/null || true
    find . -type d -name .pytest_cache -exec rm -rf {} + 2>/dev/null || true
    find . -type d -name .mypy_cache -exec rm -rf {} + 2>/dev/null || true
    find . -type f -name "*.pyc" -delete
    rm -rf .coverage htmlcov/ .ruff_cache/
    ;;
  *)
    usage
    exit 1
    ;;
esac
