cairn_cli/

client.rs

use reqwest::header::{HeaderMap, HeaderValue, AUTHORIZATION, CONTENT_TYPE};
use serde_json::Value;

use crate::config::{CairnConfig, Credentials};
use crate::errors::CairnError;

/// JWT Claims structure for internal use
#[allow(dead_code)]
#[derive(serde::Deserialize, Debug)]
pub struct AgentClaims {
    pub sub: String,
    pub account_id: String,
    pub did: String,
    pub chain: String,
    network: String,
    api_root: String,
}

/// HTTP client wrapper with automatic JWT injection and x402 payment fallback.
pub struct BackpacClient {
    inner: reqwest::Client,
    api_url: String,
    worker_url: String,
    jwt: Option<String>,
    chain: String,
    network: String,
    worker_domain: String,
}

impl BackpacClient {
    /// Create a new client. Reads JWT from env, flag, or saved credentials.
    pub fn new(jwt_override: Option<&str>, api_url: Option<&str>, worker_url: Option<&str>) -> Self {
        let config = CairnConfig::load();

        let chain = config.chain.clone();
        let network = config.network.clone();
        let api_domain = config.api_domain.clone();
        let worker_domain = config.worker_domain.clone();

        let resolved_api_url = api_url
            .map(|s| s.to_string())
            .or(config.api_url.clone())
            .or_else(|| std::env::var("BACKPAC_API_URL").ok())
            .unwrap_or_else(|| {
                let protocol = if api_domain.starts_with("localhost") || api_domain.starts_with("127.0.0.1") {
                    "http"
                } else {
                    "https"
                };
                format!("{}://{}", protocol, api_domain)
            });

        let resolved_worker_url = worker_url
            .map(|s| s.to_string())
            .or(config.worker_url.clone())
            .or_else(|| std::env::var("BACKPAC_WORKER_URL").ok())
            .unwrap_or_else(|| {
                if worker_domain.starts_with("localhost") || worker_domain.starts_with("127.0.0.1") {
                    format!("http://{}", worker_domain)
                } else {
                    format!("https://{}-{}.{}", chain, network, worker_domain)
                }
            });

        let jwt = jwt_override
            .map(|s| s.to_string())
            .or_else(|| std::env::var("BACKPAC_JWT").ok())
            .or_else(|| Credentials::load().map(|c| c.jwt));

        let inner = reqwest::Client::builder()
            .timeout(std::time::Duration::from_secs(30))
            .build()
            .expect("Failed to create HTTP client");

        Self {
            inner,
            api_url: resolved_api_url,
            worker_url: resolved_worker_url,
            jwt,
            chain,
            network,
            worker_domain,
        }
    }

    /// Get the JWT claims as a JSON Value.
    pub fn claims(&self) -> Option<Value> {
        let jwt = self.jwt.as_ref()?;
        Self::decode_jwt_claims::<Value>(jwt)
    }

    /// Helper to decode JWT claims.
    fn decode_jwt_claims<T: serde::de::DeserializeOwned>(jwt: &str) -> Option<T> {
        let parts: Vec<&str> = jwt.split('.').collect();
        if parts.len() != 3 {
            return None;
        }

        let payload_b64 = parts[1];
        let decoded = base64::Engine::decode(
            &base64::engine::general_purpose::URL_SAFE_NO_PAD,
            payload_b64,
        ).ok()?;

        serde_json::from_slice(&decoded).ok()
    }

    /// Build headers with JWT Bearer auth.
    fn auth_headers(&self) -> Result<HeaderMap, CairnError> {
        let mut headers = HeaderMap::new();
        headers.insert(CONTENT_TYPE, HeaderValue::from_static("application/json"));

        if let Some(ref jwt) = self.jwt {
            let val = format!("Bearer {}", jwt);
            headers.insert(
                AUTHORIZATION,
                HeaderValue::from_str(&val).map_err(|e| CairnError::Auth(e.to_string()))?,
            );
        }
        Ok(headers)
    }

    /// GET request with auth.
    pub async fn get(&self, path: &str) -> Result<Value, CairnError> {
        let url = format!("{}{}", self.api_url, path);
        let resp = self
            .inner
            .get(&url)
            .headers(self.auth_headers()?)
            .send()
            .await?;

        self.handle_response(resp).await
    }

    /// Create an EventSource for Server-Sent Events (SSE).
    pub fn stream(&self, path: &str) -> Result<reqwest_eventsource::EventSource, CairnError> {
        let url = format!("{}{}", self.api_url, path);
        let req = self.inner.get(&url).headers(self.auth_headers()?);
        reqwest_eventsource::EventSource::new(req).map_err(|e| CairnError::General(e.to_string()))
    }

    /// POST request with auth and JSON body.
    pub async fn post(&self, path: &str, body: &Value) -> Result<Value, CairnError> {
        let url = format!("{}{}", self.api_url, path);
        let resp = self
            .inner
            .post(&url)
            .headers(self.auth_headers()?)
            .json(body)
            .send()
            .await?;

        self.handle_response(resp).await
    }

    /// PUT request with auth and JSON body.
    pub async fn put(&self, path: &str, body: &Value) -> Result<Value, CairnError> {
        let url = format!("{}{}", self.api_url, path);
        let resp = self
            .inner
            .put(&url)
            .headers(self.auth_headers()?)
            .json(body)
            .send()
            .await?;

        self.handle_response(resp).await
    }

    /// POST for RPC route (root path /) with custom headers for PoI binding.
    pub async fn rpc_post(
        &self,
        body: &Value,
        poi_id: Option<&str>,
        confidence: Option<f64>,
        hostname: Option<&str>,
    ) -> Result<Value, CairnError> {
        let url = format!("{}/", self.worker_url);
        let mut headers = self.auth_headers()?;

        let hostname_header = if let Some(h) = hostname {
            h.to_string()
        } else {
            // Header always uses chain-network format (e.g. ethereum-mainnet.backpac.xyz)
            // If worker_domain is localhost, we fallback to production domain for the header.
            let base_domain = if self.worker_domain.starts_with("localhost") || self.worker_domain.starts_with("127.0.0.1") {
                "backpac.xyz"
            } else {
                &self.worker_domain
            };
            format!("{}-{}.{}", self.chain, self.network, base_domain)
        };

        headers.insert(
            "x-backpac-hostname",
            HeaderValue::from_str(&hostname_header).map_err(|e| CairnError::InvalidInput(e.to_string()))?,
        );

        if let Some(poi) = poi_id {
            headers.insert(
                "X-Backpac-Poi-Id",
                HeaderValue::from_str(poi).map_err(|e| CairnError::InvalidInput(e.to_string()))?,
            );
        }
        if let Some(conf) = confidence {
            headers.insert(
                "X-Backpac-Confidence",
                HeaderValue::from_str(&conf.to_string())
                    .map_err(|e| CairnError::InvalidInput(e.to_string()))?,
            );
        }

        if std::env::var("CAIRN_DEBUG").map(|v| v == "1").unwrap_or(false) {
            eprintln!("[DEBUG] RPC POST URL: {}", url);
            eprintln!("[DEBUG] RPC Headers: {:?}", headers);
            eprintln!("[DEBUG] RPC Body: {:?}", body);
        }

        let resp = self.inner.post(&url).headers(headers).json(body).send().await?;
        self.handle_response(resp).await
    }

    /// Handle HTTP response, mapping status codes to CairnErrors.
    async fn handle_response(&self, resp: reqwest::Response) -> Result<Value, CairnError> {
        let status = resp.status();

        // Extract headers before taking ownership of resp body
        let mut l402_challenge = String::new();
        if let Some(header) = resp.headers().get("WWW-Authenticate") {
            if let Ok(val) = header.to_str() {
                l402_challenge = val.to_string();
            }
        } else if let Some(header) = resp.headers().get("L402") {
            if let Ok(val) = header.to_str() {
                l402_challenge = val.to_string();
            }
        }
        let mut intent_id = None;
        if let Some(header) = resp.headers().get("x-backpac-intent-id") {
            if let Ok(val) = header.to_str() {
                intent_id = Some(val.to_string());
            }
        }

        if status.is_success() {
            let mut body: Value = resp.json().await?;
            if let Some(id) = intent_id {
                if let Some(obj) = body.as_object_mut() {
                    obj.insert("intent_id".to_string(), Value::String(id));
                }
            }
            return Ok(body);
        }

        // Try to parse error body
        let body_text = resp.text().await.unwrap_or_default();
        let error_msg = serde_json::from_str::<Value>(&body_text)
            .ok()
            .and_then(|v| v.get("error").and_then(|e| e.as_str()).map(String::from))
            .unwrap_or_else(|| body_text.clone());

        match status.as_u16() {
            400 => Err(CairnError::InvalidInput(error_msg)),
            401 => {
                if error_msg.contains("expired") {
                    Err(CairnError::TokenExpired)
                } else {
                    Err(CairnError::Auth(error_msg))
                }
            }
            402 => {
                if !l402_challenge.is_empty() {
                    // x402 Payment Required — parse macaroon and invoice
                    let is_auto_pay = std::env::var("CAIRN_AUTO_PAY").map(|v| v == "1").unwrap_or(false);
                    
                    if is_auto_pay {
                        // TODO: Parse L402 macaroon & invoice, sign with wallet via ethers,
                        // and re-submit the RPC request with Authorization: L402 <macaroon> <sig>
                        return Err(CairnError::InsufficientFunds(
                            format!("Credits exhausted. Auto-payment attempted for L402 challenge but signing logic is pending implementation. Challenge: {}", l402_challenge),
                        ));
                    } else {
                        return Err(CairnError::InsufficientFunds(
                            format!("Credits exhausted. Payment required: {}\nHint: Set CAIRN_AUTO_PAY=1 to enable wallet auto-payment.", l402_challenge),
                        ));
                    }
                }

                Err(CairnError::InsufficientFunds(
                    "Credits exhausted. x402 auto-payment not available (missing L402 headers).".to_string(),
                ))
            }
            403 => Err(CairnError::Forbidden(error_msg)),
            404 => Err(CairnError::NotFound(error_msg)),
            409 => Err(CairnError::Conflict(error_msg)),
            410 => {
                if error_msg.contains("expired") {
                    Err(CairnError::IntentExpired(error_msg))
                } else {
                    Err(CairnError::IntentAborted(error_msg))
                }
            }
            _ => Err(CairnError::General(format!("HTTP {}: {}", status, error_msg))),
        }
    }
}