greentic-setup-dev 1.1.26622982020

//! Step executor implementations for the setup engine.
//!
//! Each executor handles a specific `SetupStepKind`.

use std::collections::BTreeSet;
use std::path::{Path, PathBuf};

use anyhow::Context;
use serde_json::Value;
use sha2::{Digest, Sha256};

use crate::plan::{ResolvedPackInfo, SetupPlanMetadata};
use crate::{bundle, bundle_source::BundleSource, discovery};

use super::plan_builders::compute_simple_hash;
use super::types::SetupConfig;

pub struct ApplyPackSetupReport {
    pub provider_updates: usize,
    pub pending_setup_actions: Vec<crate::setup_actions::SetupAction>,
}

/// Resolve the canonical set of secret-marked answer keys for a pack (B12a).
///
/// The source of truth is `pack_to_form_spec()`, which unions:
/// - `setup.yaml` / `qa/*.json` questions with `secret: true`, and
/// - entries from `assets/secret-requirements.json` / CBOR manifest.
///
/// Each key is normalized via `canonical_secret_name` so the redaction
/// match logic below can mirror `seed_secret_requirement_aliases`'s
/// suffix-matching (so `bot_token` answers satisfy a `webex_bot_token`
/// requirement).
///
/// Returns `None` when the pack carries no setup metadata at all — the
/// caller should then refuse to write the transitional artifacts for
/// non-empty answers (B12a fail-closed contract).
fn resolve_secret_answer_keys(pack_path: &Path, provider_id: &str) -> Option<BTreeSet<String>> {
    let form = crate::setup_to_formspec::pack_to_form_spec(pack_path, provider_id)?;
    let secret_ids = form
        .questions
        .iter()
        .filter(|q| q.secret)
        .map(|q| crate::secret_name::canonical_secret_name(&q.id))
        .collect::<BTreeSet<String>>();
    Some(secret_ids)
}

/// Match an answer key (post-normalization) against the secret-marked set.
///
/// This MUST mirror `qa::persist::seed_secret_requirement_aliases` exactly
/// (`canonical_req_key.ends_with(&norm_cfg)`), so that the set of answers
/// redacted from disk is identical to the set persisted to the dev secrets
/// store as secrets. If redaction were narrower than seeding, a key the
/// persist path treats as a secret would stay as plaintext on disk — a leak.
///
/// Match when the answer key's canonical form equals a secret key, or a
/// secret key ends with it (forward direction only — so requirement
/// `webex_bot_token` is satisfied by answer `bot_token`). The earlier
/// version ALSO matched the reverse direction (`norm.ends_with(secret)`),
/// which the persist path does not do; that over-matched (answer `bot_token`
/// wrongly redacted for an unrelated secret `token`) and is dropped here.
fn is_secret_answer_key(answer_key: &str, secret_keys: &BTreeSet<String>) -> bool {
    let norm = crate::secret_name::canonical_secret_name(answer_key);
    secret_keys
        .iter()
        .any(|secret| secret == &norm || secret.ends_with(&norm))
}

/// Drop secret-marked answer values entirely (B12a). Used for the on-disk
/// `setup-answers.json` — its downstream readers in `greentic-start`
/// (`messaging_app::inject_pack_setup_answers`,
/// `ingress_dispatch::build_injected_config`) already source secret values
/// from `SecretsManager`, so the key has no value to contribute. Dropping
/// the key avoids putting any reference (URI or otherwise) into a JSON
/// value slot consumers may treat as the raw credential.
fn strip_secret_answer_keys(answers: &Value, secret_keys: &BTreeSet<String>) -> Value {
    let Some(map) = answers.as_object() else {
        return answers.clone();
    };
    let mut filtered = serde_json::Map::with_capacity(map.len());
    for (key, value) in map {
        if is_secret_answer_key(key, secret_keys) {
            continue;
        }
        filtered.insert(key.clone(), value.clone());
    }
    Value::Object(filtered)
}

/// Replace secret-marked answer values with canonical `secrets://` URI
/// references for the `config.envelope.cbor` artifact. Components that
/// already consume the envelope's config via the URI-resolving pattern
/// (e.g. greentic-start `notifier/config.rs` for state-redis) keep working
/// unchanged; components that read the `<key>_b64` injection see the
/// resolved plaintext from `SecretsManager` via `runner_host.get_secret`.
fn redact_secret_answer_values_to_uri_refs(
    answers: &Value,
    secret_keys: &BTreeSet<String>,
    env: &str,
    tenant: &str,
    team: Option<&str>,
    provider_id: &str,
) -> Value {
    let Some(map) = answers.as_object() else {
        return answers.clone();
    };
    let mut filtered = serde_json::Map::with_capacity(map.len());
    for (key, value) in map {
        if is_secret_answer_key(key, secret_keys) {
            let uri = crate::canonical_secret_uri(env, tenant, team, provider_id, key);
            filtered.insert(key.clone(), Value::String(uri));
        } else {
            filtered.insert(key.clone(), value.clone());
        }
    }
    Value::Object(filtered)
}

/// Decide the secret-key set for redaction, applying the B12a fail-closed
/// contract.
///
/// `resolved` carries a load-bearing `Option`:
///   - `Some(set)` — the pack HAS classifiable metadata. An empty set means
///     the pack legitimately declares zero secrets; proceed (write every
///     answer as non-secret). This is NOT a failure.
///   - `None` — no pack / no classifiable metadata at all. With non-empty
///     answers we cannot tell which are secret, so fail closed rather than
///     risk writing plaintext. With empty answers there's nothing to leak,
///     so proceed with an empty set.
fn secret_keys_or_fail_closed(
    resolved: Option<BTreeSet<String>>,
    answers: &Value,
    provider_id: &str,
) -> anyhow::Result<BTreeSet<String>> {
    match resolved {
        Some(set) => Ok(set),
        None if answers_have_content(answers) => anyhow::bail!(
            "B12a: refusing to write setup-answers for `{provider_id}` — the pack ships no \
             classifiable setup metadata (no setup.yaml / qa/*.json / secret-requirements), so \
             we can't tell which answers are secrets and won't risk writing plaintext. \
             Install/repair the pack with a setup.yaml (`secret: true` flags) or an \
             `assets/secret-requirements.json`, or pass an explicit pack ref, then retry.",
        ),
        None => Ok(BTreeSet::new()),
    }
}

/// Return true if `answers` is a JSON object with at least one non-null
/// string-typed field — i.e. material that could plausibly be a secret.
/// Used to decide whether the B12a fail-closed contract applies when the
/// redaction metadata can't be resolved.
fn answers_have_content(answers: &Value) -> bool {
    let Some(map) = answers.as_object() else {
        return false;
    };
    map.values().any(|v| match v {
        Value::String(s) => !s.is_empty(),
        Value::Null => false,
        _ => true,
    })
}

/// Execute the CreateBundle step.
pub fn execute_create_bundle(
    bundle_path: &Path,
    metadata: &SetupPlanMetadata,
) -> anyhow::Result<()> {
    bundle::create_demo_bundle_structure(bundle_path, metadata.bundle_name.as_deref())
        .context("failed to create bundle structure")
}

/// Execute the ResolvePacks step.
pub fn execute_resolve_packs(
    _bundle_path: &Path,
    metadata: &SetupPlanMetadata,
) -> anyhow::Result<Vec<ResolvedPackInfo>> {
    let mut resolved = Vec::new();
    let mut failures = Vec::new();

    for pack_ref in &metadata.pack_refs {
        match resolve_pack_ref(pack_ref) {
            Ok(resolved_path) => {
                let canonical = resolved_path
                    .canonicalize()
                    .unwrap_or(resolved_path.clone());
                let pack_meta = discovery::read_pack_meta(&canonical)?;
                resolved.push(ResolvedPackInfo {
                    source_ref: pack_ref.clone(),
                    mapped_ref: canonical.display().to_string(),
                    resolved_digest: compute_file_digest(&canonical)
                        .unwrap_or_else(|_| format!("sha256:{}", compute_simple_hash(pack_ref))),
                    pack_id: pack_meta.map(|meta| meta.pack_id).unwrap_or_else(|| {
                        canonical
                            .file_stem()
                            .and_then(|s| s.to_str())
                            .unwrap_or("unknown")
                            .to_string()
                    }),
                    entry_flows: Vec::new(),
                    cached_path: canonical.clone(),
                    output_path: canonical,
                });
            }
            Err(err) => {
                failures.push(format!("{pack_ref}: {err}"));
            }
        }
    }

    if !failures.is_empty() {
        anyhow::bail!(
            "failed to resolve {} pack ref(s):\n{}",
            failures.len(),
            failures.join("\n")
        );
    }

    Ok(resolved)
}

/// Execute the AddPacksToBundle step.
pub fn execute_add_packs_to_bundle(
    bundle_path: &Path,
    resolved_packs: &[ResolvedPackInfo],
) -> anyhow::Result<()> {
    let mut metadata_entries = Vec::new();

    for pack in resolved_packs {
        // Determine target directory based on pack ID domain prefix
        let target_dir = get_pack_target_dir(bundle_path, &pack.pack_id);
        std::fs::create_dir_all(&target_dir)?;

        let target_path = target_dir.join(format!("{}.gtpack", pack.pack_id));
        if pack.cached_path.exists() && !target_path.exists() {
            std::fs::copy(&pack.cached_path, &target_path).with_context(|| {
                format!(
                    "failed to copy pack {} to {}",
                    pack.cached_path.display(),
                    target_path.display()
                )
            })?;
        }

        let reference = target_path
            .strip_prefix(bundle_path)
            .unwrap_or(&target_path)
            .to_string_lossy()
            .replace('\\', "/");
        let kind = if reference.starts_with("providers/") {
            bundle::BundleReferenceKind::ExtensionProvider
        } else {
            bundle::BundleReferenceKind::AppPack
        };
        metadata_entries.push(bundle::BundleReference {
            kind,
            reference,
            digest: Some(pack.resolved_digest.clone()),
        });
    }

    bundle::register_bundle_references(bundle_path, &metadata_entries, None)?;
    Ok(())
}

/// Determine the target directory for a pack based on its ID.
///
/// Packs with domain prefixes (e.g., `messaging-telegram`, `events-webhook`)
/// go to `providers/<domain>/`. Other packs go to `packs/`.
pub fn get_pack_target_dir(bundle_path: &Path, pack_id: &str) -> PathBuf {
    const DOMAIN_PREFIXES: &[&str] = &[
        "messaging-",
        "events-",
        "oauth-",
        "secrets-",
        "mcp-",
        "state-",
    ];

    for prefix in DOMAIN_PREFIXES {
        if pack_id.starts_with(prefix) {
            let domain = prefix.trim_end_matches('-');
            return bundle_path.join("providers").join(domain);
        }
    }

    // Default to packs/ for non-provider packs
    bundle_path.join("packs")
}

/// Execute the ApplyPackSetup step.
pub fn execute_apply_pack_setup(
    bundle_path: &Path,
    metadata: &SetupPlanMetadata,
    config: &SetupConfig,
) -> anyhow::Result<ApplyPackSetupReport> {
    let mut count = 0;
    let mut pending_setup_actions = Vec::new();

    if !metadata.providers_remove.is_empty() {
        count += execute_remove_provider_artifacts(bundle_path, &metadata.providers_remove)?;
    }

    // Auto-install provider packs that are referenced in setup_answers
    // but not yet present in the bundle.
    auto_install_provider_packs(bundle_path, metadata);

    // Discover packs so we can find pack_path for secret alias seeding
    let discovered = if bundle_path.exists() {
        discovery::discover(bundle_path).ok()
    } else {
        None
    };

    // Persist setup answers to local config files and dev secrets store
    for (provider_id, answers) in &metadata.setup_answers {
        let mut setup_actions = crate::setup_actions::extract_setup_actions(
            provider_id,
            &config.tenant,
            config.team.as_deref(),
            answers,
        )?;
        if !setup_actions.is_empty() {
            crate::setup_actions::sign_pending_oauth_actions(bundle_path, &mut setup_actions)?;
            crate::setup_actions::persist_setup_actions(bundle_path, &setup_actions)?;
            pending_setup_actions.extend(setup_actions.clone());
        }
        let persisted_answers = crate::setup_actions::strip_setup_actions(answers);

        // Write answers to provider config directory
        let config_dir = bundle_path.join("state").join("config").join(provider_id);
        std::fs::create_dir_all(&config_dir)?;

        // Resolve the pack path early so we can both discover secret-marked
        // keys (to redact plaintext from the on-disk artifacts — B12a) and
        // pass it to the envelope writer + secrets-persist path.
        let pack_path = discovered.as_ref().and_then(|d| {
            d.find_setup_target(provider_id)
                .map(|p| p.pack_path.as_path())
        });
        let env = crate::resolve_env(Some(&config.env));

        // B12a fail-closed contract: resolve the secret-marked answer key
        // set from the pack's `pack_to_form_spec` (the union of setup.yaml /
        // qa/*.json `secret: true` questions and `secret-requirements.json`
        // entries). The `Option` is load-bearing:
        //   - `Some(set)` — the pack HAS a form spec. An empty set means the
        //     pack legitimately declares zero secrets (e.g. only model/url
        //     config); we proceed and write every answer as non-secret.
        //   - `None` — the pack ships NO classifiable metadata at all (no
        //     setup.yaml, no qa/*.json, no secret-requirements). We cannot
        //     tell which answers are secret, so with non-empty answers we
        //     fail closed rather than silently writing plaintext.
        // A missing pack path is the same "can't classify" situation.
        let resolved_secret_keys: Option<BTreeSet<String>> =
            pack_path.and_then(|pp| resolve_secret_answer_keys(pp, provider_id));
        let secret_keys = secret_keys_or_fail_closed(resolved_secret_keys, answers, provider_id)?;
        let answers_for_disk = strip_secret_answer_keys(answers, &secret_keys);
        let envelope_answers = redact_secret_answer_values_to_uri_refs(
            answers,
            &secret_keys,
            &env,
            &config.tenant,
            config.team.as_deref(),
            provider_id,
        );

        let config_path = config_dir.join("setup-answers.json");
        let content = serde_json::to_string_pretty(&answers_for_disk)
            .context("failed to serialize setup answers")?;
        std::fs::write(&config_path, content).with_context(|| {
            format!(
                "failed to write setup answers to: {}",
                config_path.display()
            )
        })?;

        if config.verbose {
            let team_display = config.team.as_deref().unwrap_or("(none)");
            println!(
                "  [secrets] scope: env={env}, tenant={}, team={team_display}, provider={provider_id}",
                config.tenant
            );
            let example_uri = crate::canonical_secret_uri(
                &env,
                &config.tenant,
                config.team.as_deref(),
                provider_id,
                "_example_key",
            );
            println!("  [secrets] URI pattern: {example_uri}");
            if let Some(config_map) = persisted_answers.as_object() {
                let keys: Vec<&String> = config_map.keys().collect();
                println!("  [secrets] answer keys: {keys:?}");
            }
        }
        let rt = tokio::runtime::Runtime::new()
            .context("failed to create tokio runtime for secrets persistence")?;
        let persisted = rt.block_on(crate::qa::persist::persist_all_config_as_secrets(
            bundle_path,
            &env,
            &config.tenant,
            config.team.as_deref(),
            provider_id,
            &persisted_answers,
            pack_path,
        ))?;
        if config.verbose {
            if persisted.is_empty() {
                println!(
                    "  [secrets] WARNING: 0 key(s) persisted for {provider_id} (all values empty?)"
                );
            } else {
                println!(
                    "  [secrets] persisted {} key(s) for {provider_id}: {:?}",
                    persisted.len(),
                    persisted
                );
            }
        }

        // Materialize a provider config envelope so runtime/provider ingest
        // paths can read setup-applied config. After B12a the envelope carries
        // `secrets://` URI references for secret-marked keys (matching the
        // canonical URIs in the dev secrets store) instead of plaintext.
        if let Some(pack_path) = pack_path {
            crate::config_envelope::write_provider_config_envelope(
                &bundle_path.join(".providers"),
                provider_id,
                "setup-input",
                &envelope_answers,
                pack_path,
                false,
            )
            .with_context(|| {
                format!(
                    "failed to write provider config envelope for {} using {}",
                    provider_id,
                    pack_path.display()
                )
            })?;
        } else if config.verbose {
            println!(
                "  [config] WARNING: no resolved pack path for {provider_id}; skipped config envelope write"
            );
        }

        // Sync OAuth answers to tenant config JSON for webchat-gui providers
        match crate::tenant_config::sync_oauth_to_tenant_config(
            bundle_path,
            &config.tenant,
            provider_id,
            &persisted_answers,
        ) {
            Ok(true) => {
                if config.verbose {
                    println!("  [oauth] updated tenant config for {provider_id}");
                }
            }
            Ok(false) => {}
            Err(e) => {
                println!("  [oauth] WARNING: failed to update tenant config: {e}");
            }
        }

        // Sync `skin` answer to tenant config JSON for webchat-gui providers
        match crate::tenant_config::sync_skin_to_tenant_config(
            bundle_path,
            &config.tenant,
            provider_id,
            &persisted_answers,
        ) {
            Ok(true) => {
                if config.verbose {
                    println!("  [skin] updated tenant config for {provider_id}");
                }
            }
            Ok(false) => {}
            Err(e) => {
                println!("  [skin] WARNING: failed to update tenant config: {e}");
            }
        }

        // Sync `nav_links_json` answer to tenant config JSON for webchat-gui providers
        if provider_id.contains("webchat-gui") && config.verbose {
            let preview = answers
                .as_object()
                .and_then(|m| m.get("nav_links"))
                .map(|v| serde_json::to_string(v).unwrap_or_else(|_| "<unserializable>".into()))
                .unwrap_or_else(|| "<absent>".into());
            println!("  [nav_links] received answer for {provider_id}: {preview}");
        }
        match crate::tenant_config::sync_nav_links_to_tenant_config(
            bundle_path,
            &config.tenant,
            provider_id,
            &persisted_answers,
        ) {
            Ok(true) => {
                if config.verbose {
                    println!("  [nav_links] updated tenant config for {provider_id}");
                }
            }
            Ok(false) => {}
            Err(e) => {
                println!("  [nav_links] WARNING: failed to update tenant config: {e}");
            }
        }

        // Register webhooks if the provider needs one (e.g. Telegram, Slack, Webex)
        if let Some(result) = crate::webhook::register_webhook(
            provider_id,
            &persisted_answers,
            &config.tenant,
            config.team.as_deref(),
        ) {
            let ok = result.get("ok").and_then(Value::as_bool).unwrap_or(false);
            if ok {
                println!("  [webhook] registered for {provider_id}");
            } else {
                let err = result
                    .get("error")
                    .and_then(Value::as_str)
                    .unwrap_or("unknown");
                println!("  [webhook] WARNING: registration failed for {provider_id}: {err}");
            }
        }

        count += 1;
    }

    crate::platform_setup::persist_static_routes_artifact(bundle_path, &metadata.static_routes)?;
    let _ = crate::deployment_targets::persist_explicit_deployment_targets(
        bundle_path,
        &metadata.deployment_targets,
    );

    // Print post-setup instructions for providers needing manual steps
    let provider_configs: Vec<(String, Value)> = metadata
        .setup_answers
        .iter()
        .map(|(id, val)| (id.clone(), val.clone()))
        .collect();
    let team = config.team.as_deref().unwrap_or("default");
    crate::webhook::print_post_setup_instructions(&provider_configs, &config.tenant, team);

    Ok(ApplyPackSetupReport {
        provider_updates: count,
        pending_setup_actions,
    })
}

fn compute_file_digest(path: &Path) -> anyhow::Result<String> {
    let bytes = std::fs::read(path).with_context(|| format!("read {}", path.display()))?;
    let digest = Sha256::digest(bytes);
    let encoded = digest
        .iter()
        .map(|byte| format!("{byte:02x}"))
        .collect::<String>();
    Ok(format!("sha256:{encoded}"))
}

fn resolve_pack_ref(pack_ref: &str) -> anyhow::Result<PathBuf> {
    let source = BundleSource::parse(pack_ref)?;
    let resolved = source.resolve()?;

    if resolved.extension().and_then(|ext| ext.to_str()) != Some("gtpack") {
        anyhow::bail!(
            "resolved pack ref is not a .gtpack file: {}",
            resolved.display()
        );
    }

    Ok(resolved)
}

/// Remove provider artifacts and config directories.
pub fn execute_remove_provider_artifacts(
    bundle_path: &Path,
    providers_remove: &[String],
) -> anyhow::Result<usize> {
    let mut removed = 0usize;
    let discovered = discovery::discover(bundle_path).ok();
    for provider_id in providers_remove {
        if let Some(discovered) = discovered.as_ref()
            && let Some(provider) = discovered
                .providers
                .iter()
                .find(|provider| provider.provider_id == *provider_id)
        {
            if provider.pack_path.exists() {
                std::fs::remove_file(&provider.pack_path).with_context(|| {
                    format!(
                        "failed to remove provider pack {}",
                        provider.pack_path.display()
                    )
                })?;
            }
            removed += 1;
        } else {
            let target_dir = get_pack_target_dir(bundle_path, provider_id);
            let target_path = target_dir.join(format!("{provider_id}.gtpack"));
            if target_path.exists() {
                std::fs::remove_file(&target_path).with_context(|| {
                    format!("failed to remove provider pack {}", target_path.display())
                })?;
                removed += 1;
            }
        }

        let config_dir = bundle_path.join("state").join("config").join(provider_id);
        if config_dir.exists() {
            std::fs::remove_dir_all(&config_dir).with_context(|| {
                format!(
                    "failed to remove provider config dir {}",
                    config_dir.display()
                )
            })?;
        }
    }
    Ok(removed)
}

/// Search sibling bundles for provider packs referenced in setup_answers
/// and install them into this bundle if missing.
///
/// "Missing" is determined by pack_id, not filename: a pack file with any
/// filename that declares the matching pack_id in its manifest counts as
/// already installed. Otherwise a custom-named pack (e.g. a tenant-specific
/// build placed alongside the canonical name) gets clobbered every time
/// setup runs.
pub fn auto_install_provider_packs(bundle_path: &Path, metadata: &SetupPlanMetadata) {
    let bundle_abs =
        std::fs::canonicalize(bundle_path).unwrap_or_else(|_| bundle_path.to_path_buf());

    let installed_ids: std::collections::HashSet<String> = discovery::discover(bundle_path)
        .map(|d| {
            d.providers
                .into_iter()
                .chain(d.app_packs)
                .map(|p| p.provider_id)
                .collect()
        })
        .unwrap_or_default();

    for provider_id in metadata.setup_answers.keys() {
        if installed_ids.contains(provider_id) {
            continue;
        }
        let target_dir = get_pack_target_dir(bundle_path, provider_id);
        let target_path = target_dir.join(format!("{provider_id}.gtpack"));
        if target_path.exists() {
            continue;
        }

        // Determine the provider domain from the ID
        let domain = domain_from_provider_id(provider_id);

        // Search for the pack in sibling bundles and build output
        if let Some(source) = find_provider_pack_source(provider_id, domain, &bundle_abs) {
            if let Err(err) = std::fs::create_dir_all(&target_dir) {
                eprintln!(
                    "  [provider] WARNING: failed to create {}: {err}",
                    target_dir.display()
                );
                continue;
            }
            match std::fs::copy(&source, &target_path) {
                Ok(_) => println!(
                    "  [provider] installed {provider_id}.gtpack from {}",
                    source.display()
                ),
                Err(err) => eprintln!(
                    "  [provider] WARNING: failed to copy {}: {err}",
                    source.display()
                ),
            }
        } else {
            eprintln!("  [provider] WARNING: {provider_id}.gtpack not found in sibling bundles");
        }
    }
}

/// Extract domain from a provider ID (e.g. "messaging-telegram" → "messaging").
pub fn domain_from_provider_id(provider_id: &str) -> &str {
    const DOMAIN_PREFIXES: &[&str] = &[
        "messaging-",
        "events-",
        "oauth-",
        "secrets-",
        "mcp-",
        "state-",
        "telemetry-",
    ];
    for prefix in DOMAIN_PREFIXES {
        if provider_id.starts_with(prefix) {
            return prefix.trim_end_matches('-');
        }
    }
    "messaging" // default
}

/// Search known locations for a provider pack file.
///
/// Search order:
/// 1. Sibling bundle directories: `../<bundle>/providers/<domain>/<id>.gtpack`
/// 2. Build output: `../greentic-messaging-providers/target/packs/<id>.gtpack`
pub fn find_provider_pack_source(
    provider_id: &str,
    domain: &str,
    bundle_abs: &Path,
) -> Option<PathBuf> {
    let parent = bundle_abs.parent()?;
    let filename = format!("{provider_id}.gtpack");

    // 1. Sibling bundles
    if let Ok(entries) = std::fs::read_dir(parent) {
        for entry in entries.flatten() {
            let sibling = entry.path();
            if sibling == *bundle_abs || !sibling.is_dir() {
                continue;
            }
            let candidate = sibling.join("providers").join(domain).join(&filename);
            if candidate.is_file() {
                return Some(candidate);
            }
        }
    }

    // 2. Build output from greentic-messaging-providers
    for ancestor in parent.ancestors().take(4) {
        let candidate = ancestor
            .join("greentic-messaging-providers")
            .join("target")
            .join("packs")
            .join(&filename);
        if candidate.is_file() {
            return Some(candidate);
        }
    }

    None
}

/// Execute the WriteGmapRules step.
pub fn execute_write_gmap_rules(
    bundle_path: &Path,
    metadata: &SetupPlanMetadata,
) -> anyhow::Result<()> {
    for tenant_sel in &metadata.tenants {
        let gmap_path =
            bundle::gmap_path(bundle_path, &tenant_sel.tenant, tenant_sel.team.as_deref());

        if let Some(parent) = gmap_path.parent() {
            std::fs::create_dir_all(parent)?;
        }

        // Build gmap content from allow_paths
        let mut content = String::new();
        if tenant_sel.allow_paths.is_empty() {
            content.push_str("_ = forbidden\n");
        } else {
            for path in &tenant_sel.allow_paths {
                content.push_str(&format!("{} = allowed\n", path));
            }
            content.push_str("_ = forbidden\n");
        }

        std::fs::write(&gmap_path, content)
            .with_context(|| format!("failed to write gmap: {}", gmap_path.display()))?;
    }
    Ok(())
}

/// Execute the CopyResolvedManifest step.
pub fn execute_copy_resolved_manifests(
    bundle_path: &Path,
    metadata: &SetupPlanMetadata,
) -> anyhow::Result<Vec<PathBuf>> {
    let mut manifests = Vec::new();
    let resolved_dir = bundle_path.join("resolved");
    std::fs::create_dir_all(&resolved_dir)?;

    for tenant_sel in &metadata.tenants {
        let filename =
            bundle::resolved_manifest_filename(&tenant_sel.tenant, tenant_sel.team.as_deref());
        let manifest_path = resolved_dir.join(&filename);

        // Create an empty manifest placeholder if it doesn't exist
        if !manifest_path.exists() {
            std::fs::write(&manifest_path, "# Resolved manifest placeholder\n")?;
        }
        manifests.push(manifest_path);
    }

    Ok(manifests)
}

/// Execute the ValidateBundle step.
pub fn execute_validate_bundle(bundle_path: &Path) -> anyhow::Result<()> {
    bundle::validate_bundle_exists(bundle_path)
}

/// Execute the BuildFlowIndex step.
///
/// Scans all flows in the bundle, builds a TF-IDF index and a routing-compatible
/// index, and optionally generates intents.md documentation.
/// Output is written to `bundle/state/indexes/`.
///
/// Requires the `fast2flow` feature AND the `fast2flow-bundle` crate wired as a
/// dependency.  Until `fast2flow-bundle` is published or vendored, this is a
/// no-op stub that logs a skip message.
pub fn execute_build_flow_index(_bundle_path: &Path, _config: &SetupConfig) -> anyhow::Result<()> {
    tracing::debug!("fast2flow indexing skipped (fast2flow-bundle not available)");
    Ok(())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::platform_setup::StaticRoutesPolicy;
    use std::collections::BTreeSet;

    fn empty_metadata(pack_refs: Vec<String>) -> SetupPlanMetadata {
        SetupPlanMetadata {
            bundle_name: None,
            pack_refs,
            tenants: Vec::new(),
            default_assignments: Vec::new(),
            providers: Vec::new(),
            update_ops: BTreeSet::new(),
            remove_targets: BTreeSet::new(),
            packs_remove: Vec::new(),
            providers_remove: Vec::new(),
            tenants_remove: Vec::new(),
            access_changes: Vec::new(),
            static_routes: StaticRoutesPolicy::default(),
            deployment_targets: Vec::new(),
            setup_answers: serde_json::Map::new(),
            tunnel: None,
        }
    }

    #[test]
    fn resolve_packs_errors_when_any_pack_ref_fails() {
        let metadata = empty_metadata(vec!["/definitely/missing/example.gtpack".to_string()]);
        let err = execute_resolve_packs(Path::new("."), &metadata).unwrap_err();
        let message = err.to_string();

        assert!(message.contains("failed to resolve 1 pack ref"));
        assert!(message.contains("/definitely/missing/example.gtpack"));
    }

    /// Regression: a custom-named pack whose manifest declares the matching
    /// pack_id must satisfy `auto_install_provider_packs`. Filename-only
    /// detection caused tenant-specific builds (e.g. `*-3aigent.gtpack`) to
    /// be clobbered by the canonical name on every setup run.
    #[test]
    fn auto_install_skips_when_pack_id_matches_under_custom_filename() {
        use std::io::Write;
        use zip::write::{FileOptions, ZipWriter};

        let temp = tempfile::tempdir().expect("tempdir");
        let bundle = temp.path().join("bundle");
        let messaging_dir = bundle.join("providers").join("messaging");
        std::fs::create_dir_all(&messaging_dir).expect("create messaging dir");

        let custom_pack = messaging_dir.join("messaging-webchat-gui-3aigent.gtpack");
        let file = std::fs::File::create(&custom_pack).expect("create pack file");
        let mut writer = ZipWriter::new(file);
        let options: FileOptions<'_, ()> =
            FileOptions::default().compression_method(zip::CompressionMethod::Stored);
        writer
            .start_file("pack.manifest.json", options)
            .expect("start manifest");
        writer
            .write_all(
                serde_json::json!({
                    "pack_id": "messaging-webchat-gui",
                    "display_name": "WebChat GUI",
                })
                .to_string()
                .as_bytes(),
            )
            .expect("write manifest");
        writer.finish().expect("finish zip");

        let canonical_pack = messaging_dir.join("messaging-webchat-gui.gtpack");
        assert!(!canonical_pack.exists(), "precondition: canonical absent");

        let mut metadata = empty_metadata(vec![]);
        metadata.setup_answers.insert(
            "messaging-webchat-gui".to_string(),
            serde_json::Value::Object(serde_json::Map::new()),
        );

        auto_install_provider_packs(&bundle, &metadata);

        assert!(
            custom_pack.exists(),
            "custom-named pack must be left in place"
        );
        assert!(
            !canonical_pack.exists(),
            "must not auto-install canonical-named duplicate when pack_id already present"
        );
    }

    fn secret_keys_for(keys: &[&str]) -> BTreeSet<String> {
        keys.iter()
            .map(|k| crate::secret_name::canonical_secret_name(k))
            .collect()
    }

    #[test]
    fn envelope_redaction_replaces_secret_values_with_canonical_uri_refs() {
        let secret_keys = secret_keys_for(&["api_key", "oauth_client_secret"]);

        let answers = serde_json::json!({
            "model": "gpt-4o-mini",
            "api_key": "sk-PLAINTEXT-MUST-NOT-LEAK",
            "oauth_client_secret": "PLAINTEXT-OAUTH-SECRET",
            "non_secret_url": "https://api.openai.com/v1"
        });

        let redacted = redact_secret_answer_values_to_uri_refs(
            &answers,
            &secret_keys,
            "dev",
            "demo",
            Some("default"),
            "openai-llm",
        );

        let map = redacted.as_object().expect("object");
        assert_eq!(map["model"].as_str(), Some("gpt-4o-mini"));
        assert_eq!(
            map["non_secret_url"].as_str(),
            Some("https://api.openai.com/v1")
        );
        // `canonical_secret_uri` collapses the literal "default" team into
        // the wildcard segment `_` (see `canonical_team` in lib.rs).
        assert_eq!(
            map["api_key"].as_str(),
            Some("secrets://dev/demo/_/openai-llm/api_key"),
            "secret value must be replaced with canonical secrets:// URI",
        );
        assert_eq!(
            map["oauth_client_secret"].as_str(),
            Some("secrets://dev/demo/_/openai-llm/oauth_client_secret"),
        );

        let json = serde_json::to_string(&redacted).expect("serialize");
        assert!(
            !json.contains("PLAINTEXT-MUST-NOT-LEAK"),
            "api_key plaintext leaked into envelope JSON: {json}",
        );
        assert!(
            !json.contains("PLAINTEXT-OAUTH-SECRET"),
            "oauth_client_secret plaintext leaked into envelope JSON: {json}",
        );
    }

    #[test]
    fn setup_answers_redaction_drops_secret_keys_entirely() {
        // setup-answers.json's downstream readers in greentic-start skip
        // secret-marked keys (PR #179) and fetch from `SecretsManager`
        // instead, so the producer drops them from this artifact — no
        // value or URI ref appears in the JSON value slot.
        let secret_keys = secret_keys_for(&["api_key"]);
        let answers = serde_json::json!({
            "model": "gpt-4o-mini",
            "api_key": "sk-PLAINTEXT-MUST-NOT-LEAK"
        });

        let stripped = strip_secret_answer_keys(&answers, &secret_keys);
        let map = stripped.as_object().expect("object");
        assert_eq!(map["model"].as_str(), Some("gpt-4o-mini"));
        assert!(
            !map.contains_key("api_key"),
            "secret key must be removed entirely from setup-answers",
        );
        let json = serde_json::to_string(&stripped).expect("serialize");
        assert!(
            !json.contains("PLAINTEXT-MUST-NOT-LEAK"),
            "plaintext leaked into setup-answers: {json}",
        );
        assert!(
            !json.contains("secrets://"),
            "setup-answers must not carry URI refs either — readers fetch via SecretsManager",
        );
    }

    #[test]
    fn is_secret_answer_key_matches_aliases_via_canonical_suffix() {
        // Mirrors `qa::persist::seed_secret_requirement_aliases` (Codex
        // F3): a `webex_bot_token` requirement is satisfied by an answer
        // key `bot_token`, so redaction must match it too (forward direction:
        // secret key ends with answer key).
        let secret_keys = secret_keys_for(&["webex_bot_token"]);
        assert!(is_secret_answer_key("bot_token", &secret_keys));
        assert!(is_secret_answer_key("BOT_TOKEN", &secret_keys));
        assert!(is_secret_answer_key("webex_bot_token", &secret_keys));
        // Non-aliases must not match.
        assert!(!is_secret_answer_key("model", &secret_keys));
        assert!(!is_secret_answer_key("bot_url", &secret_keys));
    }

    #[test]
    fn is_secret_answer_key_does_not_over_match_reverse_direction() {
        // xhigh review C4: the previous symmetric `norm.ends_with(secret)`
        // direction over-matched. A pack whose ONLY secret is the short key
        // `token` must NOT cause an unrelated longer answer `bot_token` to be
        // redacted — `seed_secret_requirement_aliases` would not seed it
        // either (it matches `requirement.ends_with(answer)`, not the
        // reverse), so redaction must stay consistent and leave it alone.
        let secret_keys = secret_keys_for(&["token"]);
        assert!(is_secret_answer_key("token", &secret_keys));
        assert!(
            !is_secret_answer_key("bot_token", &secret_keys),
            "answer key longer than the secret key must not match (reverse direction removed)",
        );
        assert!(!is_secret_answer_key("refresh_token", &secret_keys));
    }

    #[test]
    fn is_secret_answer_key_punctuation_only_key_does_not_match_unrelated_secret() {
        // `canonical_secret_name` maps empty/punctuation-only keys to the
        // sentinel "secret"; it must not collide with an unrelated secret
        // key like `api_key`.
        let secret_keys = secret_keys_for(&["api_key"]);
        assert!(!is_secret_answer_key("", &secret_keys));
        assert!(!is_secret_answer_key("---", &secret_keys));
    }

    #[test]
    fn alias_answer_key_redacted_in_setup_answers_and_envelope() {
        // End-to-end check for Codex F3: requirement `webex_bot_token`,
        // operator-supplied key `bot_token`.
        let secret_keys = secret_keys_for(&["webex_bot_token"]);
        let answers = serde_json::json!({"bot_token": "T0K3N-MUST-NOT-LEAK"});

        let stripped = strip_secret_answer_keys(&answers, &secret_keys);
        assert!(
            stripped.as_object().unwrap().is_empty(),
            "alias-matched secret key must be dropped from setup-answers",
        );

        let envelope = redact_secret_answer_values_to_uri_refs(
            &answers,
            &secret_keys,
            "dev",
            "demo",
            None,
            "messaging-webex",
        );
        assert_eq!(
            envelope["bot_token"].as_str(),
            Some("secrets://dev/demo/_/messaging-webex/bot_token"),
        );
        let json = serde_json::to_string(&envelope).unwrap();
        assert!(!json.contains("T0K3N-MUST-NOT-LEAK"));
    }

    #[test]
    fn secret_keys_fail_closed_distinguishes_none_from_empty_set() {
        let content = serde_json::json!({"model": "gpt-4o"});
        let empty = serde_json::json!({});

        // xhigh review C3: a pack WITH a form spec that declares zero secrets
        // resolves to Some(empty) and MUST proceed (write all answers as
        // non-secret) — not bail.
        let r = secret_keys_or_fail_closed(Some(BTreeSet::new()), &content, "p").unwrap();
        assert!(r.is_empty(), "Some(empty) proceeds with no redaction");

        // Some(nonempty) passes the set through.
        let set = secret_keys_for(&["api_key"]);
        let r = secret_keys_or_fail_closed(Some(set.clone()), &content, "p").unwrap();
        assert_eq!(r, set);

        // None + content => fail closed (can't classify, won't risk plaintext).
        assert!(secret_keys_or_fail_closed(None, &content, "p").is_err());

        // None + empty answers => nothing to leak, proceed.
        assert!(
            secret_keys_or_fail_closed(None, &empty, "p")
                .unwrap()
                .is_empty()
        );
    }

    #[test]
    fn answers_have_content_distinguishes_empty_from_meaningful() {
        assert!(!answers_have_content(&serde_json::json!({})));
        assert!(!answers_have_content(&serde_json::json!({"a": null})));
        assert!(!answers_have_content(&serde_json::json!({"a": ""})));
        assert!(answers_have_content(&serde_json::json!({"a": "value"})));
        assert!(answers_have_content(&serde_json::json!({"a": 42})));
        assert!(answers_have_content(&serde_json::json!({"a": true})));
        assert!(answers_have_content(&serde_json::json!({"a": ["x"]})));
    }
}