cufflink-cli 0.11.2

use crate::config::CliConfig;
use crate::project_config::ProjectConfig;
use std::collections::HashMap;
use std::process::Command;

/// Get the service ID by extracting manifest name and looking up via API
async fn get_service_id(config: &CliConfig) -> eyre::Result<String> {
    // Check if this is a web project first (use Cufflink.toml)
    let project = ProjectConfig::find_and_load()?;
    let mode = project
        .as_ref()
        .and_then(|p| p.service.mode.as_deref())
        .unwrap_or("rust");

    let service_name = if mode == "web" {
        project
            .as_ref()
            .and_then(|p| p.service.name.as_deref())
            .ok_or_else(|| eyre::eyre!("Web mode requires [service].name in Cufflink.toml"))?
            .to_string()
    } else {
        let output = Command::new("cargo")
            .args(["run", "--", "--emit-manifest"])
            .output()?;

        if !output.status.success() {
            eyre::bail!("Failed to build service. Run from a cufflink service directory.");
        }

        let stdout = String::from_utf8(output.stdout)?;
        let manifest: serde_json::Value = serde_json::from_str(stdout.trim())?;
        manifest["name"]
            .as_str()
            .ok_or_else(|| eyre::eyre!("No service name in manifest"))?
            .to_string()
    };
    let service_name = &service_name;

    let client = config.http_client();
    let resp = config
        .auth_request(
            &client,
            reqwest::Method::GET,
            &format!("{}/api/services", config.api_url),
        )
        .send()
        .await?;

    let services: serde_json::Value = resp.json().await?;
    let service = services["services"]
        .as_array()
        .and_then(|arr| {
            arr.iter()
                .find(|s| s["name"].as_str() == Some(service_name))
        })
        .ok_or_else(|| eyre::eyre!("Service '{}' not found on platform", service_name))?;

    Ok(service["id"]
        .as_str()
        .ok_or_else(|| eyre::eyre!("Service has no ID"))?
        .to_string())
}

/// List all config values for the current service
pub async fn list(env: Option<&str>) -> eyre::Result<()> {
    let config = CliConfig::load_with_env(env)?;

    if let Some(ref name) = config.env_name {
        println!("Environment: {}", name);
    }

    let service_id = get_service_id(&config).await?;

    let client = config.http_client();
    let resp = config
        .auth_request(
            &client,
            reqwest::Method::GET,
            &format!("{}/api/services/{}/config", config.api_url, service_id),
        )
        .send()
        .await?;

    if resp.status().is_success() {
        let body: serde_json::Value = resp.json().await?;
        if let Some(configs) = body["configs"].as_array() {
            if configs.is_empty() {
                println!("No configuration values set.");
            } else {
                use comfy_table::{presets::NOTHING, Table, TableComponent};

                let mut table = Table::new();
                table.load_preset(NOTHING);
                table.set_style(TableComponent::HeaderLines, '-');
                table.set_style(TableComponent::MiddleHeaderIntersections, ' ');
                table.set_header(vec!["KEY", "VALUE", "SECRET"]);

                for c in configs {
                    let secret = if c["is_secret"].as_bool() == Some(true) {
                        "yes"
                    } else {
                        "no"
                    };
                    table.add_row(vec![
                        c["key"].as_str().unwrap_or(""),
                        c["value"].as_str().unwrap_or(""),
                        secret,
                    ]);
                }

                println!("{table}");
            }
        }
    } else {
        let status = resp.status();
        let body = resp.text().await.unwrap_or_default();
        eyre::bail!("Failed to list config ({}): {}", status, body);
    }

    Ok(())
}

/// Set a config value
pub async fn set(key: &str, value: &str, is_secret: bool, env: Option<&str>) -> eyre::Result<()> {
    let config = CliConfig::load_with_env(env)?;

    if let Some(ref name) = config.env_name {
        println!("Environment: {}", name);
    }

    let service_id = get_service_id(&config).await?;

    let payload = serde_json::json!({
        "key": key,
        "value": value,
        "is_secret": is_secret,
    });

    let client = config.http_client();
    let resp = config
        .auth_request(
            &client,
            reqwest::Method::PUT,
            &format!("{}/api/services/{}/config", config.api_url, service_id),
        )
        .json(&payload)
        .send()
        .await?;

    if resp.status().is_success() {
        println!("Config '{}' set successfully", key);
    } else {
        let status = resp.status();
        let body = resp.text().await.unwrap_or_default();
        eyre::bail!("Failed to set config ({}): {}", status, body);
    }

    Ok(())
}

/// Delete a config value
pub async fn delete(key: &str, env: Option<&str>) -> eyre::Result<()> {
    let config = CliConfig::load_with_env(env)?;

    if let Some(ref name) = config.env_name {
        println!("Environment: {}", name);
    }

    let service_id = get_service_id(&config).await?;

    let client = config.http_client();
    let resp = config
        .auth_request(
            &client,
            reqwest::Method::DELETE,
            &format!(
                "{}/api/services/{}/config/{}",
                config.api_url, service_id, key
            ),
        )
        .send()
        .await?;

    if resp.status().is_success() {
        println!("Config '{}' deleted", key);
    } else {
        let status = resp.status();
        let body = resp.text().await.unwrap_or_default();
        eyre::bail!("Failed to delete config ({}): {}", status, body);
    }

    Ok(())
}

/// Sync configs and secrets from Cufflink.toml to the platform
pub async fn sync(env: Option<&str>) -> eyre::Result<()> {
    let config = CliConfig::load_with_env(env)?;

    if let Some(ref name) = config.env_name {
        println!("Environment: {}", name);
    }

    let service_id = get_service_id(&config).await?;

    let project =
        ProjectConfig::find_and_load()?.ok_or_else(|| eyre::eyre!("No Cufflink.toml found"))?;

    let env_name = env
        .map(|s| s.to_string())
        .or_else(|| project.service.default_env.clone())
        .ok_or_else(|| eyre::eyre!("No environment specified"))?;

    let env_config = project.get_env(&env_name)?;

    sync_to_platform(
        &config,
        &service_id,
        &env_config.config,
        &env_config.secrets,
        &project,
        &env_name,
    )
    .await
}

/// Sync configs and secrets to the platform. Used by both `config sync` and `deploy`.
pub async fn sync_to_platform(
    cli_config: &CliConfig,
    service_id: &str,
    configs: &HashMap<String, String>,
    secrets: &HashMap<String, String>,
    project: &ProjectConfig,
    env_name: &str,
) -> eyre::Result<()> {
    let client = cli_config.http_client();
    let config_url = format!("{}/api/services/{}/config", cli_config.api_url, service_id);

    // Sync plaintext configs
    let mut synced = 0;
    for (key, value) in configs {
        let payload = serde_json::json!({
            "key": key,
            "value": value,
            "is_secret": false,
        });

        let resp = cli_config
            .auth_request(&client, reqwest::Method::PUT, &config_url)
            .json(&payload)
            .send()
            .await?;

        if !resp.status().is_success() {
            let status = resp.status();
            let body = resp.text().await.unwrap_or_default();
            eyre::bail!("Failed to sync config '{}' ({}): {}", key, status, body);
        }
        synced += 1;
    }

    // Sync secrets from securestore
    let resolved_secrets = resolve_secret_refs(project, env_name, secrets)?;
    let mut secrets_synced = 0;
    for (config_key, value) in &resolved_secrets {
        let payload = serde_json::json!({
            "key": config_key,
            "value": value,
            "is_secret": true,
        });

        let resp = cli_config
            .auth_request(&client, reqwest::Method::PUT, &config_url)
            .json(&payload)
            .send()
            .await?;

        if !resp.status().is_success() {
            let status = resp.status();
            let body = resp.text().await.unwrap_or_default();
            eyre::bail!(
                "Failed to sync secret '{}' ({}): {}",
                config_key,
                status,
                body
            );
        }
        secrets_synced += 1;
    }

    if synced > 0 || secrets_synced > 0 {
        println!(
            "  Synced {} config(s) and {} secret(s)",
            synced, secrets_synced
        );
    }

    Ok(())
}

/// Resolve `secret_refs` (mapping `config_key → "group:name"`) against the
/// local securestore vault for the given environment. Returns a flat
/// `config_key → resolved_value` map.
fn resolve_secret_refs(
    project: &ProjectConfig,
    env_name: &str,
    secret_refs: &HashMap<String, String>,
) -> eyre::Result<HashMap<String, String>> {
    if secret_refs.is_empty() {
        return Ok(HashMap::new());
    }
    let store = super::secrets_cmd::load_store(project, env_name)?;
    let mut out = HashMap::with_capacity(secret_refs.len());
    for (config_key, store_name) in secret_refs {
        let value: String = store.get(store_name).map_err(|e| {
            eyre::eyre!(
                "Secret '{}' not found in securestore for '{}': {}",
                store_name,
                env_name,
                e
            )
        })?;
        out.insert(config_key.clone(), value);
    }
    Ok(out)
}

/// Resolve a service's declared `[config]` + `[secrets]` for an environment
/// into a flat env-var map. Plain config values pass through unchanged;
/// secret references like `"google_maps:api_key"` are resolved against the
/// local securestore vault.
///
/// This is the canonical "what env vars does this service declare for this
/// environment?" lookup. Use it anywhere you need ground-truth env values
/// (build-time injection, doctor commands, dry-run output, etc.) — the
/// platform's `GET /config` masks `is_secret=true` values and is unsuitable
/// for paths that need actual values.
pub fn resolve_local_envs(
    project: &ProjectConfig,
    env_name: &str,
) -> eyre::Result<HashMap<String, String>> {
    let env = project.get_env(env_name)?;
    let mut out = env.config.clone();
    out.extend(resolve_secret_refs(project, env_name, &env.secrets)?);
    Ok(out)
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::project_config::EnvironmentConfig;
    use securestore::{KeySource, SecretsManager};
    use tempfile::TempDir;

    fn make_project_with_vault(env_name: &str) -> (TempDir, ProjectConfig) {
        let tmp = tempfile::tempdir().unwrap();
        let project_dir = tmp.path().to_path_buf();
        let secrets_dir = project_dir.join("secrets");
        std::fs::create_dir_all(&secrets_dir).unwrap();

        // Mirrors `secrets init`: generate a fresh key, export it, then
        // build the vault against that key path so subsequent `load_store`
        // can decrypt without `CUFFLINK_SECRETS_KEY` being set.
        let key_path = secrets_dir.join(format!("{}.key", env_name));
        let vault_path = secrets_dir.join(format!("{}.json", env_name));
        let store_for_key = SecretsManager::new(KeySource::Csprng).unwrap();
        store_for_key.export_key(&key_path).unwrap();

        let mut store = SecretsManager::new(KeySource::Path(&key_path)).unwrap();
        store.set("google_maps:api_key", "AIzaSyTEST");
        store.set("postmark:api_key", "pm-test-token");
        store.save_as(&vault_path).unwrap();

        let project = ProjectConfig {
            service: Default::default(),
            environments: HashMap::new(),
            project_dir,
        };
        (tmp, project)
    }

    fn env_with(config: &[(&str, &str)], secrets: &[(&str, &str)]) -> EnvironmentConfig {
        EnvironmentConfig {
            api_url: "http://localhost:8080".to_string(),
            tenant: "default".to_string(),
            api_key_env: None,
            api_key: None,
            keycloak_url: None,
            keycloak_realm: None,
            keycloak_client_id: None,
            config: config
                .iter()
                .map(|(k, v)| (k.to_string(), v.to_string()))
                .collect(),
            secrets: secrets
                .iter()
                .map(|(k, v)| (k.to_string(), v.to_string()))
                .collect(),
        }
    }

    #[test]
    fn resolves_config_only_passes_values_through() {
        let (_tmp, mut project) = make_project_with_vault("staging");
        project.environments.insert(
            "staging".to_string(),
            env_with(&[("NEXT_PUBLIC_API_URL", "https://api.example")], &[]),
        );

        let envs = resolve_local_envs(&project, "staging").unwrap();
        assert_eq!(
            envs.get("NEXT_PUBLIC_API_URL").map(String::as_str),
            Some("https://api.example")
        );
    }

    #[test]
    fn resolves_secrets_against_local_vault() {
        let (_tmp, mut project) = make_project_with_vault("staging");
        project.environments.insert(
            "staging".to_string(),
            env_with(
                &[],
                &[("NEXT_PUBLIC_GOOGLE_MAPS_API_KEY", "google_maps:api_key")],
            ),
        );

        let envs = resolve_local_envs(&project, "staging").unwrap();
        assert_eq!(
            envs.get("NEXT_PUBLIC_GOOGLE_MAPS_API_KEY")
                .map(String::as_str),
            Some("AIzaSyTEST")
        );
    }

    #[test]
    fn resolves_mixed_config_and_secrets() {
        let (_tmp, mut project) = make_project_with_vault("staging");
        project.environments.insert(
            "staging".to_string(),
            env_with(
                &[("NEXT_PUBLIC_API_URL", "https://api.example")],
                &[
                    ("NEXT_PUBLIC_GOOGLE_MAPS_API_KEY", "google_maps:api_key"),
                    ("POSTMARK_API_KEY", "postmark:api_key"),
                ],
            ),
        );

        let envs = resolve_local_envs(&project, "staging").unwrap();
        assert_eq!(envs.len(), 3);
        assert_eq!(envs["NEXT_PUBLIC_API_URL"], "https://api.example");
        assert_eq!(envs["NEXT_PUBLIC_GOOGLE_MAPS_API_KEY"], "AIzaSyTEST");
        assert_eq!(envs["POSTMARK_API_KEY"], "pm-test-token");
    }

    #[test]
    fn errors_when_referenced_secret_missing_from_vault() {
        let (_tmp, mut project) = make_project_with_vault("staging");
        project.environments.insert(
            "staging".to_string(),
            env_with(&[], &[("MISSING_VAR", "missing:secret")]),
        );

        let err = resolve_local_envs(&project, "staging").unwrap_err();
        assert!(err.to_string().contains("missing:secret"));
        assert!(err.to_string().contains("staging"));
    }

    #[test]
    fn errors_for_unknown_environment() {
        let (_tmp, project) = make_project_with_vault("staging");

        let err = resolve_local_envs(&project, "nope").unwrap_err();
        assert!(err.to_string().contains("nope"));
    }
}