greentic_setup/

engine.rs

//! Setup engine — orchestrates plan building and execution for
//! create/update/remove workflows.
//!
//! This is the main entry point that consumers (e.g. greentic-operator)
//! use to drive bundle setup.

use std::collections::BTreeSet;
use std::path::{Path, PathBuf};

use anyhow::{Context, anyhow};
use serde_json::{Map as JsonMap, Value};

use crate::answers_crypto;
use crate::bundle;
use crate::discovery;
use crate::plan::*;
use crate::platform_setup::{
    PlatformSetupAnswers, StaticRoutesPolicy, load_effective_static_routes_defaults,
    persist_static_routes_artifact,
};
use crate::setup_input;

#[derive(Clone, Debug, Default)]
pub struct LoadedAnswers {
    pub platform_setup: PlatformSetupAnswers,
    pub setup_answers: JsonMap<String, Value>,
}

/// The request object that drives plan building.
#[derive(Clone, Debug, Default)]
pub struct SetupRequest {
    pub bundle: PathBuf,
    pub bundle_name: Option<String>,
    pub pack_refs: Vec<String>,
    pub tenants: Vec<TenantSelection>,
    pub default_assignments: Vec<PackDefaultSelection>,
    pub providers: Vec<String>,
    pub update_ops: BTreeSet<UpdateOp>,
    pub remove_targets: BTreeSet<RemoveTarget>,
    pub packs_remove: Vec<PackRemoveSelection>,
    pub providers_remove: Vec<String>,
    pub tenants_remove: Vec<TenantSelection>,
    pub access_changes: Vec<AccessChangeSelection>,
    pub static_routes: StaticRoutesPolicy,
    pub deployment_targets: Vec<crate::deployment_targets::DeploymentTargetRecord>,
    pub setup_answers: serde_json::Map<String, serde_json::Value>,
    /// Filter by provider domain (messaging, events, secrets, oauth).
    pub domain_filter: Option<String>,
    /// Number of parallel setup operations.
    pub parallel: usize,
    /// Backup existing config before setup.
    pub backup: bool,
    /// Skip secrets initialization.
    pub skip_secrets_init: bool,
    /// Continue on error (best effort).
    pub best_effort: bool,
}

/// Configuration for the setup engine.
pub struct SetupConfig {
    pub tenant: String,
    pub team: Option<String>,
    pub env: String,
    pub offline: bool,
    pub verbose: bool,
}

/// The setup engine orchestrates plan → execute for bundle lifecycle.
pub struct SetupEngine {
    config: SetupConfig,
}

impl SetupEngine {
    pub fn new(config: SetupConfig) -> Self {
        Self { config }
    }

    /// Build a plan for the given mode and request.
    pub fn plan(
        &self,
        mode: SetupMode,
        request: &SetupRequest,
        dry_run: bool,
    ) -> anyhow::Result<SetupPlan> {
        match mode {
            SetupMode::Create => apply_create(request, dry_run),
            SetupMode::Update => apply_update(request, dry_run),
            SetupMode::Remove => apply_remove(request, dry_run),
        }
    }

    /// Print a human-readable plan summary to stdout.
    pub fn print_plan(&self, plan: &SetupPlan) {
        print_plan_summary(plan);
    }

    /// Access the engine configuration.
    pub fn config(&self) -> &SetupConfig {
        &self.config
    }

    /// Execute a setup plan.
    ///
    /// Runs each step in the plan, performing the actual bundle setup operations.
    /// Returns an execution report with details about what was done.
    pub fn execute(&self, plan: &SetupPlan) -> anyhow::Result<SetupExecutionReport> {
        if plan.dry_run {
            return Err(anyhow!("cannot execute a dry-run plan"));
        }

        let bundle = &plan.bundle;
        let mut report = SetupExecutionReport {
            bundle: bundle.clone(),
            resolved_packs: Vec::new(),
            resolved_manifests: Vec::new(),
            provider_updates: 0,
            warnings: Vec::new(),
        };

        for step in &plan.steps {
            match step.kind {
                SetupStepKind::NoOp => {
                    if self.config.verbose {
                        println!("  [skip] {}", step.description);
                    }
                }
                SetupStepKind::CreateBundle => {
                    self.execute_create_bundle(bundle, &plan.metadata)?;
                    if self.config.verbose {
                        println!("  [done] {}", step.description);
                    }
                }
                SetupStepKind::ResolvePacks => {
                    let resolved = self.execute_resolve_packs(bundle, &plan.metadata)?;
                    report.resolved_packs.extend(resolved);
                    if self.config.verbose {
                        println!("  [done] {}", step.description);
                    }
                }
                SetupStepKind::AddPacksToBundle => {
                    self.execute_add_packs_to_bundle(bundle, &report.resolved_packs)?;
                    let _ = crate::deployment_targets::persist_explicit_deployment_targets(
                        bundle,
                        &plan.metadata.deployment_targets,
                    );
                    if self.config.verbose {
                        println!("  [done] {}", step.description);
                    }
                }
                SetupStepKind::ValidateCapabilities => {
                    let cap_report = crate::capabilities::validate_and_upgrade_packs(bundle)?;
                    for warn in &cap_report.warnings {
                        report.warnings.push(warn.message.clone());
                    }
                    if self.config.verbose {
                        println!(
                            "  [done] {} (checked={}, upgraded={})",
                            step.description,
                            cap_report.checked,
                            cap_report.upgraded.len()
                        );
                    }
                }
                SetupStepKind::ApplyPackSetup => {
                    let count = self.execute_apply_pack_setup(bundle, &plan.metadata)?;
                    report.provider_updates += count;
                    if self.config.verbose {
                        println!("  [done] {}", step.description);
                    }
                }
                SetupStepKind::WriteGmapRules => {
                    self.execute_write_gmap_rules(bundle, &plan.metadata)?;
                    if self.config.verbose {
                        println!("  [done] {}", step.description);
                    }
                }
                SetupStepKind::RunResolver => {
                    // Resolver is typically run by the runtime, not setup
                    if self.config.verbose {
                        println!("  [skip] {} (deferred to runtime)", step.description);
                    }
                }
                SetupStepKind::CopyResolvedManifest => {
                    let manifests = self.execute_copy_resolved_manifests(bundle, &plan.metadata)?;
                    report.resolved_manifests.extend(manifests);
                    if self.config.verbose {
                        println!("  [done] {}", step.description);
                    }
                }
                SetupStepKind::ValidateBundle => {
                    self.execute_validate_bundle(bundle)?;
                    if self.config.verbose {
                        println!("  [done] {}", step.description);
                    }
                }
            }
        }

        Ok(report)
    }

    /// Emit an answers template JSON file.
    ///
    /// Discovers all packs in the bundle and generates a template with all
    /// setup questions. Users fill this in and pass it via `--answers`.
    pub fn emit_answers(
        &self,
        plan: &SetupPlan,
        output_path: &Path,
        key: Option<&str>,
        interactive: bool,
    ) -> anyhow::Result<()> {
        let bundle = &plan.bundle;

        // Build the answers document structure
        let mut answers_doc = serde_json::json!({
            "greentic_setup_version": "1.0.0",
            "bundle_source": bundle.display().to_string(),
            "tenant": self.config.tenant,
            "team": self.config.team,
            "env": self.config.env,
            "platform_setup": {
                "static_routes": plan.metadata.static_routes.to_answers(),
                "deployment_targets": plan.metadata.deployment_targets
            },
            "setup_answers": {}
        });

        if !plan.metadata.static_routes.public_web_enabled
            && plan.metadata.static_routes.public_base_url.is_none()
            && let Some(existing) = load_effective_static_routes_defaults(
                bundle,
                &self.config.tenant,
                self.config.team.as_deref(),
            )?
        {
            answers_doc["platform_setup"]["static_routes"] =
                serde_json::to_value(existing.to_answers())?;
        }

        // Discover packs and extract their QA specs
        let setup_answers = answers_doc
            .get_mut("setup_answers")
            .and_then(|v| v.as_object_mut())
            .ok_or_else(|| anyhow!("internal error: setup_answers not an object"))?;

        // Add existing answers from the plan metadata
        for (provider_id, answers) in &plan.metadata.setup_answers {
            setup_answers.insert(provider_id.clone(), answers.clone());
        }

        // Discover packs and populate question templates for all providers.
        // If a provider entry already exists but is empty, merge in the
        // questions from setup.yaml so the user sees what needs to be filled.
        if bundle.exists() {
            let discovered = discovery::discover(bundle)?;
            for provider in discovered.providers {
                let provider_id = provider.provider_id.clone();
                let existing_is_empty = setup_answers
                    .get(&provider_id)
                    .and_then(|v| v.as_object())
                    .is_some_and(|m| m.is_empty());
                if !setup_answers.contains_key(&provider_id) || existing_is_empty {
                    // Load the setup spec from the pack and create template
                    let template =
                        if let Some(spec) = setup_input::load_setup_spec(&provider.pack_path)? {
                            // Pack has setup.yaml - extract questions
                            let mut entries = JsonMap::new();
                            for question in &spec.questions {
                                let default_value = question
                                    .default
                                    .clone()
                                    .unwrap_or_else(|| Value::String(String::new()));
                                entries.insert(question.name.clone(), default_value);
                            }
                            entries
                        } else {
                            // Pack uses flow-based setup or has no questions
                            // Add empty entry so user knows pack exists
                            JsonMap::new()
                        };
                    setup_answers.insert(provider_id, Value::Object(template));
                }
            }
        }

        self.encrypt_secret_answers(bundle, &mut answers_doc, key, interactive)?;

        // Write the answers document to the output path
        let output_content = serde_json::to_string_pretty(&answers_doc)
            .context("failed to serialize answers document")?;

        if let Some(parent) = output_path.parent() {
            std::fs::create_dir_all(parent)
                .with_context(|| format!("failed to create directory: {}", parent.display()))?;
        }

        std::fs::write(output_path, output_content)
            .with_context(|| format!("failed to write answers to: {}", output_path.display()))?;

        println!("Answers template written to: {}", output_path.display());
        Ok(())
    }

    /// Load answers from a JSON/YAML file.
    pub fn load_answers(
        &self,
        answers_path: &Path,
        key: Option<&str>,
        interactive: bool,
    ) -> anyhow::Result<LoadedAnswers> {
        let raw = setup_input::load_setup_input(answers_path)?;
        let raw = if answers_crypto::has_encrypted_values(&raw) {
            let resolved_key = match key {
                Some(value) => value.to_string(),
                None if interactive => answers_crypto::prompt_for_key("decrypting answers")?,
                None => {
                    return Err(anyhow!(
                        "answers file contains encrypted secret values; rerun with --key or interactive input"
                    ));
                }
            };
            answers_crypto::decrypt_tree(&raw, &resolved_key)?
        } else {
            raw
        };
        match raw {
            Value::Object(map) => {
                let platform_setup = map
                    .get("platform_setup")
                    .cloned()
                    .map(serde_json::from_value)
                    .transpose()
                    .context("parse platform_setup answers")?
                    .unwrap_or_default();

                if let Some(Value::Object(setup_answers)) = map.get("setup_answers") {
                    Ok(LoadedAnswers {
                        platform_setup,
                        setup_answers: setup_answers.clone(),
                    })
                } else if map.contains_key("bundle_source")
                    || map.contains_key("tenant")
                    || map.contains_key("team")
                    || map.contains_key("env")
                    || map.contains_key("platform_setup")
                {
                    Ok(LoadedAnswers {
                        platform_setup,
                        setup_answers: JsonMap::new(),
                    })
                } else {
                    Ok(LoadedAnswers {
                        platform_setup,
                        setup_answers: map,
                    })
                }
            }
            _ => Err(anyhow!("answers file must be a JSON/YAML object")),
        }
    }

    fn encrypt_secret_answers(
        &self,
        bundle: &Path,
        answers_doc: &mut Value,
        key: Option<&str>,
        interactive: bool,
    ) -> anyhow::Result<()> {
        let setup_answers = answers_doc
            .get_mut("setup_answers")
            .and_then(Value::as_object_mut)
            .ok_or_else(|| anyhow!("internal error: setup_answers not an object"))?;
        let discovered = if bundle.exists() {
            discovery::discover(bundle)?
        } else {
            return Ok(());
        };

        let mut secret_paths = Vec::new();
        for provider in discovered.providers {
            let Some(form_spec) = crate::setup_to_formspec::pack_to_form_spec(
                &provider.pack_path,
                &provider.provider_id,
            ) else {
                continue;
            };
            let Some(provider_answers) = setup_answers
                .get_mut(&provider.provider_id)
                .and_then(Value::as_object_mut)
            else {
                continue;
            };
            for question in form_spec.questions {
                if !question.secret {
                    continue;
                }
                let Some(value) = provider_answers.get(&question.id).cloned() else {
                    continue;
                };
                if value.is_null() || value == Value::String(String::new()) {
                    continue;
                }
                secret_paths.push((provider.provider_id.clone(), question.id.clone(), value));
            }
        }

        if secret_paths.is_empty() {
            return Ok(());
        }

        let resolved_key = match key {
            Some(value) => value.to_string(),
            None if interactive => answers_crypto::prompt_for_key("encrypting answers")?,
            None => {
                return Err(anyhow!(
                    "answer document includes secret values; rerun with --key or interactive input"
                ));
            }
        };

        for (provider_id, field_id, value) in secret_paths {
            let encrypted = answers_crypto::encrypt_value(&value, &resolved_key)?;
            if let Some(provider_answers) = setup_answers
                .get_mut(&provider_id)
                .and_then(Value::as_object_mut)
            {
                provider_answers.insert(field_id, encrypted);
            }
        }

        Ok(())
    }

    // ── Step executors ─────────────────────────────────────────────────────

    fn execute_create_bundle(
        &self,
        bundle_path: &Path,
        metadata: &SetupPlanMetadata,
    ) -> anyhow::Result<()> {
        bundle::create_demo_bundle_structure(bundle_path, metadata.bundle_name.as_deref())
            .context("failed to create bundle structure")
    }

    fn execute_resolve_packs(
        &self,
        _bundle_path: &Path,
        metadata: &SetupPlanMetadata,
    ) -> anyhow::Result<Vec<ResolvedPackInfo>> {
        let mut resolved = Vec::new();

        for pack_ref in &metadata.pack_refs {
            // For now, we only support local pack refs (file paths)
            // OCI resolution requires async and the distributor client
            let path = PathBuf::from(pack_ref);

            // Try to canonicalize the path to handle relative paths correctly
            let resolved_path = if path.is_absolute() {
                path.clone()
            } else {
                std::env::current_dir()
                    .ok()
                    .map(|cwd| cwd.join(&path))
                    .unwrap_or_else(|| path.clone())
            };

            if resolved_path.exists() {
                let canonical = resolved_path
                    .canonicalize()
                    .unwrap_or(resolved_path.clone());
                resolved.push(ResolvedPackInfo {
                    source_ref: pack_ref.clone(),
                    mapped_ref: canonical.display().to_string(),
                    resolved_digest: format!("sha256:{}", compute_simple_hash(pack_ref)),
                    pack_id: canonical
                        .file_stem()
                        .and_then(|s| s.to_str())
                        .unwrap_or("unknown")
                        .to_string(),
                    entry_flows: Vec::new(),
                    cached_path: canonical.clone(),
                    output_path: canonical,
                });
            } else if pack_ref.starts_with("oci://")
                || pack_ref.starts_with("repo://")
                || pack_ref.starts_with("store://")
            {
                // Remote packs need async resolution via distributor-client
                // For now, we'll skip and let the caller handle this
                tracing::warn!("remote pack ref requires async resolution: {}", pack_ref);
            } else {
                // Log warning for unresolved local paths
                tracing::warn!(
                    "pack ref not found: {} (resolved to: {})",
                    pack_ref,
                    resolved_path.display()
                );
            }
        }

        Ok(resolved)
    }

    fn execute_add_packs_to_bundle(
        &self,
        bundle_path: &Path,
        resolved_packs: &[ResolvedPackInfo],
    ) -> anyhow::Result<()> {
        for pack in resolved_packs {
            // Determine target directory based on pack ID domain prefix
            let target_dir = Self::get_pack_target_dir(bundle_path, &pack.pack_id);
            std::fs::create_dir_all(&target_dir)?;

            let target_path = target_dir.join(format!("{}.gtpack", pack.pack_id));
            if pack.cached_path.exists() && !target_path.exists() {
                std::fs::copy(&pack.cached_path, &target_path).with_context(|| {
                    format!(
                        "failed to copy pack {} to {}",
                        pack.cached_path.display(),
                        target_path.display()
                    )
                })?;
            }
        }
        Ok(())
    }

    /// Determine the target directory for a pack based on its ID.
    ///
    /// Packs with domain prefixes (e.g., `messaging-telegram`, `events-webhook`)
    /// go to `providers/<domain>/`. Other packs go to `packs/`.
    fn get_pack_target_dir(bundle_path: &Path, pack_id: &str) -> PathBuf {
        const DOMAIN_PREFIXES: &[&str] = &[
            "messaging-",
            "events-",
            "oauth-",
            "secrets-",
            "mcp-",
            "state-",
        ];

        for prefix in DOMAIN_PREFIXES {
            if pack_id.starts_with(prefix) {
                let domain = prefix.trim_end_matches('-');
                return bundle_path.join("providers").join(domain);
            }
        }

        // Default to packs/ for non-provider packs
        bundle_path.join("packs")
    }

    fn execute_apply_pack_setup(
        &self,
        bundle_path: &Path,
        metadata: &SetupPlanMetadata,
    ) -> anyhow::Result<usize> {
        let mut count = 0;

        if !metadata.providers_remove.is_empty() {
            count +=
                self.execute_remove_provider_artifacts(bundle_path, &metadata.providers_remove)?;
        }

        // Auto-install provider packs that are referenced in setup_answers
        // but not yet present in the bundle.
        self.auto_install_provider_packs(bundle_path, metadata);

        // Discover packs so we can find pack_path for secret alias seeding
        let discovered = if bundle_path.exists() {
            discovery::discover(bundle_path).ok()
        } else {
            None
        };

        // Persist setup answers to local config files and dev secrets store
        for (provider_id, answers) in &metadata.setup_answers {
            // Write answers to provider config directory
            let config_dir = bundle_path.join("state").join("config").join(provider_id);
            std::fs::create_dir_all(&config_dir)?;

            let config_path = config_dir.join("setup-answers.json");
            let content = serde_json::to_string_pretty(answers)
                .context("failed to serialize setup answers")?;
            std::fs::write(&config_path, content).with_context(|| {
                format!(
                    "failed to write setup answers to: {}",
                    config_path.display()
                )
            })?;

            // Persist all answer values to the dev secrets store so that
            // WASM components can read them via the secrets API at runtime.
            let pack_path = discovered.as_ref().and_then(|d| {
                d.providers
                    .iter()
                    .find(|p| p.provider_id == *provider_id)
                    .map(|p| p.pack_path.as_path())
            });
            let env = crate::resolve_env(Some(&self.config.env));
            let rt = tokio::runtime::Runtime::new()
                .context("failed to create tokio runtime for secrets persistence")?;
            let persisted = rt.block_on(crate::qa::persist::persist_all_config_as_secrets(
                bundle_path,
                &env,
                &self.config.tenant,
                self.config.team.as_deref(),
                provider_id,
                answers,
                pack_path,
            ))?;
            if self.config.verbose && !persisted.is_empty() {
                println!(
                    "  [secrets] persisted {} key(s) for {provider_id}",
                    persisted.len()
                );
            }

            // Register webhooks if the provider needs one (e.g. Telegram, Slack, Webex)
            if let Some(result) = crate::webhook::register_webhook(
                provider_id,
                answers,
                &self.config.tenant,
                self.config.team.as_deref(),
            ) {
                let ok = result.get("ok").and_then(Value::as_bool).unwrap_or(false);
                if ok {
                    println!("  [webhook] registered for {provider_id}");
                } else {
                    let err = result
                        .get("error")
                        .and_then(Value::as_str)
                        .unwrap_or("unknown");
                    println!("  [webhook] WARNING: registration failed for {provider_id}: {err}");
                }
            }

            count += 1;
        }

        persist_static_routes_artifact(bundle_path, &metadata.static_routes)?;
        let _ = crate::deployment_targets::persist_explicit_deployment_targets(
            bundle_path,
            &metadata.deployment_targets,
        );

        // Print post-setup instructions for providers needing manual steps
        let provider_configs: Vec<(String, Value)> = metadata
            .setup_answers
            .iter()
            .map(|(id, val)| (id.clone(), val.clone()))
            .collect();
        let team = self.config.team.as_deref().unwrap_or("default");
        crate::webhook::print_post_setup_instructions(&provider_configs, &self.config.tenant, team);

        Ok(count)
    }

    fn execute_remove_provider_artifacts(
        &self,
        bundle_path: &Path,
        providers_remove: &[String],
    ) -> anyhow::Result<usize> {
        let mut removed = 0usize;
        let discovered = discovery::discover(bundle_path).ok();
        for provider_id in providers_remove {
            if let Some(discovered) = discovered.as_ref()
                && let Some(provider) = discovered
                    .providers
                    .iter()
                    .find(|provider| provider.provider_id == *provider_id)
            {
                if provider.pack_path.exists() {
                    std::fs::remove_file(&provider.pack_path).with_context(|| {
                        format!(
                            "failed to remove provider pack {}",
                            provider.pack_path.display()
                        )
                    })?;
                }
                removed += 1;
            } else {
                let target_dir = Self::get_pack_target_dir(bundle_path, provider_id);
                let target_path = target_dir.join(format!("{provider_id}.gtpack"));
                if target_path.exists() {
                    std::fs::remove_file(&target_path).with_context(|| {
                        format!("failed to remove provider pack {}", target_path.display())
                    })?;
                    removed += 1;
                }
            }

            let config_dir = bundle_path.join("state").join("config").join(provider_id);
            if config_dir.exists() {
                std::fs::remove_dir_all(&config_dir).with_context(|| {
                    format!(
                        "failed to remove provider config dir {}",
                        config_dir.display()
                    )
                })?;
            }
        }
        Ok(removed)
    }

    /// Search sibling bundles for provider packs referenced in setup_answers
    /// and install them into this bundle if missing.
    fn auto_install_provider_packs(&self, bundle_path: &Path, metadata: &SetupPlanMetadata) {
        let bundle_abs =
            std::fs::canonicalize(bundle_path).unwrap_or_else(|_| bundle_path.to_path_buf());

        for provider_id in metadata.setup_answers.keys() {
            let target_dir = Self::get_pack_target_dir(bundle_path, provider_id);
            let target_path = target_dir.join(format!("{provider_id}.gtpack"));
            if target_path.exists() {
                continue;
            }

            // Determine the provider domain from the ID
            let domain = Self::domain_from_provider_id(provider_id);

            // Search for the pack in sibling bundles and build output
            if let Some(source) = Self::find_provider_pack_source(provider_id, domain, &bundle_abs)
            {
                if let Err(err) = std::fs::create_dir_all(&target_dir) {
                    eprintln!(
                        "  [provider] WARNING: failed to create {}: {err}",
                        target_dir.display()
                    );
                    continue;
                }
                match std::fs::copy(&source, &target_path) {
                    Ok(_) => println!(
                        "  [provider] installed {provider_id}.gtpack from {}",
                        source.display()
                    ),
                    Err(err) => eprintln!(
                        "  [provider] WARNING: failed to copy {}: {err}",
                        source.display()
                    ),
                }
            } else {
                eprintln!(
                    "  [provider] WARNING: {provider_id}.gtpack not found in sibling bundles"
                );
            }
        }
    }

    /// Extract domain from a provider ID (e.g. "messaging-telegram" → "messaging").
    fn domain_from_provider_id(provider_id: &str) -> &str {
        const DOMAIN_PREFIXES: &[&str] = &[
            "messaging-",
            "events-",
            "oauth-",
            "secrets-",
            "mcp-",
            "state-",
            "telemetry-",
        ];
        for prefix in DOMAIN_PREFIXES {
            if provider_id.starts_with(prefix) {
                return prefix.trim_end_matches('-');
            }
        }
        "messaging" // default
    }

    /// Search known locations for a provider pack file.
    ///
    /// Search order:
    /// 1. Sibling bundle directories: `../<bundle>/providers/<domain>/<id>.gtpack`
    /// 2. Build output: `../greentic-messaging-providers/target/packs/<id>.gtpack`
    fn find_provider_pack_source(
        provider_id: &str,
        domain: &str,
        bundle_abs: &Path,
    ) -> Option<PathBuf> {
        let parent = bundle_abs.parent()?;
        let filename = format!("{provider_id}.gtpack");

        // 1. Sibling bundles
        if let Ok(entries) = std::fs::read_dir(parent) {
            for entry in entries.flatten() {
                let sibling = entry.path();
                if sibling == *bundle_abs || !sibling.is_dir() {
                    continue;
                }
                let candidate = sibling.join("providers").join(domain).join(&filename);
                if candidate.is_file() {
                    return Some(candidate);
                }
            }
        }

        // 2. Build output from greentic-messaging-providers
        for ancestor in parent.ancestors().take(4) {
            let candidate = ancestor
                .join("greentic-messaging-providers")
                .join("target")
                .join("packs")
                .join(&filename);
            if candidate.is_file() {
                return Some(candidate);
            }
        }

        None
    }

    fn execute_write_gmap_rules(
        &self,
        bundle_path: &Path,
        metadata: &SetupPlanMetadata,
    ) -> anyhow::Result<()> {
        for tenant_sel in &metadata.tenants {
            let gmap_path =
                bundle::gmap_path(bundle_path, &tenant_sel.tenant, tenant_sel.team.as_deref());

            if let Some(parent) = gmap_path.parent() {
                std::fs::create_dir_all(parent)?;
            }

            // Build gmap content from allow_paths
            let mut content = String::new();
            if tenant_sel.allow_paths.is_empty() {
                content.push_str("_ = forbidden\n");
            } else {
                for path in &tenant_sel.allow_paths {
                    content.push_str(&format!("{} = allowed\n", path));
                }
                content.push_str("_ = forbidden\n");
            }

            std::fs::write(&gmap_path, content)
                .with_context(|| format!("failed to write gmap: {}", gmap_path.display()))?;
        }
        Ok(())
    }

    fn execute_copy_resolved_manifests(
        &self,
        bundle_path: &Path,
        metadata: &SetupPlanMetadata,
    ) -> anyhow::Result<Vec<PathBuf>> {
        let mut manifests = Vec::new();
        let resolved_dir = bundle_path.join("resolved");
        std::fs::create_dir_all(&resolved_dir)?;

        for tenant_sel in &metadata.tenants {
            let filename =
                bundle::resolved_manifest_filename(&tenant_sel.tenant, tenant_sel.team.as_deref());
            let manifest_path = resolved_dir.join(&filename);

            // Create an empty manifest placeholder if it doesn't exist
            if !manifest_path.exists() {
                std::fs::write(&manifest_path, "# Resolved manifest placeholder\n")?;
            }
            manifests.push(manifest_path);
        }

        Ok(manifests)
    }

    fn execute_validate_bundle(&self, bundle_path: &Path) -> anyhow::Result<()> {
        bundle::validate_bundle_exists(bundle_path)
    }
}

// ── Plan builders ───────────────────────────────────────────────────────────

pub fn apply_create(request: &SetupRequest, dry_run: bool) -> anyhow::Result<SetupPlan> {
    if request.tenants.is_empty() {
        return Err(anyhow!("at least one tenant selection is required"));
    }

    let pack_refs = dedup_sorted(&request.pack_refs);
    let tenants = normalize_tenants(&request.tenants);

    let mut steps = Vec::new();
    if !pack_refs.is_empty() {
        steps.push(step(
            SetupStepKind::ResolvePacks,
            "Resolve selected pack refs via distributor client",
            [("count", pack_refs.len().to_string())],
        ));
    } else {
        steps.push(step(
            SetupStepKind::NoOp,
            "No pack refs selected; skipping pack resolution",
            [("reason", "empty_pack_refs".to_string())],
        ));
    }
    steps.push(step(
        SetupStepKind::CreateBundle,
        "Create demo bundle scaffold using existing conventions",
        [("bundle", request.bundle.display().to_string())],
    ));
    if !pack_refs.is_empty() {
        steps.push(step(
            SetupStepKind::AddPacksToBundle,
            "Copy fetched packs into bundle/packs",
            [("count", pack_refs.len().to_string())],
        ));
        steps.push(step(
            SetupStepKind::ValidateCapabilities,
            "Validate provider packs have capabilities extension",
            [("check", "greentic.ext.capabilities.v1".to_string())],
        ));
        steps.push(step(
            SetupStepKind::ApplyPackSetup,
            "Apply pack-declared setup outputs through internal setup hooks",
            [("status", "planned".to_string())],
        ));
    } else if !request.setup_answers.is_empty() {
        // No new packs to fetch, but answers were provided for existing packs
        steps.push(step(
            SetupStepKind::ValidateCapabilities,
            "Validate provider packs have capabilities extension",
            [("check", "greentic.ext.capabilities.v1".to_string())],
        ));
        steps.push(step(
            SetupStepKind::ApplyPackSetup,
            "Apply setup answers to existing bundle packs",
            [("providers", request.setup_answers.len().to_string())],
        ));
    } else {
        steps.push(step(
            SetupStepKind::NoOp,
            "No fetched packs to add or setup",
            [("reason", "empty_pack_refs".to_string())],
        ));
    }
    steps.push(step(
        SetupStepKind::WriteGmapRules,
        "Write tenant/team allow rules to gmap",
        [("targets", tenants.len().to_string())],
    ));
    steps.push(step(
        SetupStepKind::RunResolver,
        "Run resolver pipeline (same as demo allow)",
        [("resolver", "project::sync_project".to_string())],
    ));
    steps.push(step(
        SetupStepKind::CopyResolvedManifest,
        "Copy state/resolved manifests into resolved/ for demo start",
        [("targets", tenants.len().to_string())],
    ));
    steps.push(step(
        SetupStepKind::ValidateBundle,
        "Validate bundle is loadable by internal demo pipeline",
        [("check", "resolved manifests present".to_string())],
    ));

    Ok(SetupPlan {
        mode: "create".to_string(),
        dry_run,
        bundle: request.bundle.clone(),
        steps,
        metadata: build_metadata(request, pack_refs, tenants),
    })
}

pub fn apply_update(request: &SetupRequest, dry_run: bool) -> anyhow::Result<SetupPlan> {
    let pack_refs = dedup_sorted(&request.pack_refs);
    let tenants = normalize_tenants(&request.tenants);

    let mut ops = request.update_ops.clone();
    if ops.is_empty() {
        infer_update_ops(&mut ops, &pack_refs, request, &tenants);
    }

    let mut steps = vec![step(
        SetupStepKind::ValidateBundle,
        "Validate target bundle exists before update",
        [("mode", "update".to_string())],
    )];

    if ops.is_empty() {
        steps.push(step(
            SetupStepKind::NoOp,
            "No update operations selected",
            [("reason", "empty_update_ops".to_string())],
        ));
    }
    if ops.contains(&UpdateOp::PacksAdd) {
        if pack_refs.is_empty() {
            steps.push(step(
                SetupStepKind::NoOp,
                "packs_add selected without pack refs",
                [("reason", "empty_pack_refs".to_string())],
            ));
        } else {
            steps.push(step(
                SetupStepKind::ResolvePacks,
                "Resolve selected pack refs via distributor client",
                [("count", pack_refs.len().to_string())],
            ));
            steps.push(step(
                SetupStepKind::AddPacksToBundle,
                "Copy fetched packs into bundle/packs",
                [("count", pack_refs.len().to_string())],
            ));
        }
    }
    if ops.contains(&UpdateOp::PacksRemove) {
        if request.packs_remove.is_empty() {
            steps.push(step(
                SetupStepKind::NoOp,
                "packs_remove selected without targets",
                [("reason", "empty_packs_remove".to_string())],
            ));
        } else {
            steps.push(step(
                SetupStepKind::AddPacksToBundle,
                "Remove pack artifacts/default links from bundle",
                [("count", request.packs_remove.len().to_string())],
            ));
        }
    }
    if ops.contains(&UpdateOp::ProvidersAdd) {
        if request.providers.is_empty() && pack_refs.is_empty() {
            steps.push(step(
                SetupStepKind::NoOp,
                "providers_add selected without providers or new packs",
                [("reason", "empty_providers_add".to_string())],
            ));
        } else {
            steps.push(step(
                SetupStepKind::ApplyPackSetup,
                "Enable providers in providers/providers.json",
                [("count", request.providers.len().to_string())],
            ));
        }
    }
    if ops.contains(&UpdateOp::ProvidersRemove) {
        if request.providers_remove.is_empty() {
            steps.push(step(
                SetupStepKind::NoOp,
                "providers_remove selected without providers",
                [("reason", "empty_providers_remove".to_string())],
            ));
        } else {
            steps.push(step(
                SetupStepKind::ApplyPackSetup,
                "Disable/remove providers in providers/providers.json",
                [("count", request.providers_remove.len().to_string())],
            ));
        }
    }
    if ops.contains(&UpdateOp::TenantsAdd) {
        if tenants.is_empty() {
            steps.push(step(
                SetupStepKind::NoOp,
                "tenants_add selected without tenant targets",
                [("reason", "empty_tenants_add".to_string())],
            ));
        } else {
            steps.push(step(
                SetupStepKind::WriteGmapRules,
                "Ensure tenant/team directories and allow rules",
                [("targets", tenants.len().to_string())],
            ));
        }
    }
    if ops.contains(&UpdateOp::TenantsRemove) {
        if request.tenants_remove.is_empty() {
            steps.push(step(
                SetupStepKind::NoOp,
                "tenants_remove selected without tenant targets",
                [("reason", "empty_tenants_remove".to_string())],
            ));
        } else {
            steps.push(step(
                SetupStepKind::WriteGmapRules,
                "Remove tenant/team directories and related rules",
                [("targets", request.tenants_remove.len().to_string())],
            ));
        }
    }
    if ops.contains(&UpdateOp::AccessChange) {
        let access_count = request.access_changes.len()
            + tenants.iter().filter(|t| !t.allow_paths.is_empty()).count();
        if access_count == 0 {
            steps.push(step(
                SetupStepKind::NoOp,
                "access_change selected without mutations",
                [("reason", "empty_access_changes".to_string())],
            ));
        } else {
            steps.push(step(
                SetupStepKind::WriteGmapRules,
                "Apply access rule updates",
                [("changes", access_count.to_string())],
            ));
            steps.push(step(
                SetupStepKind::RunResolver,
                "Run resolver pipeline (same as demo allow/forbid)",
                [("resolver", "project::sync_project".to_string())],
            ));
            steps.push(step(
                SetupStepKind::CopyResolvedManifest,
                "Copy state/resolved manifests into resolved/ for demo start",
                [("targets", tenants.len().to_string())],
            ));
        }
    }
    steps.push(step(
        SetupStepKind::ValidateBundle,
        "Validate bundle is loadable by internal demo pipeline",
        [("check", "resolved manifests present".to_string())],
    ));

    Ok(SetupPlan {
        mode: SetupMode::Update.as_str().to_string(),
        dry_run,
        bundle: request.bundle.clone(),
        steps,
        metadata: build_metadata_with_ops(request, pack_refs, tenants, ops),
    })
}

pub fn apply_remove(request: &SetupRequest, dry_run: bool) -> anyhow::Result<SetupPlan> {
    let tenants = normalize_tenants(&request.tenants);

    let mut targets = request.remove_targets.clone();
    if targets.is_empty() {
        if !request.packs_remove.is_empty() {
            targets.insert(RemoveTarget::Packs);
        }
        if !request.providers_remove.is_empty() {
            targets.insert(RemoveTarget::Providers);
        }
        if !request.tenants_remove.is_empty() {
            targets.insert(RemoveTarget::TenantsTeams);
        }
    }

    let mut steps = vec![step(
        SetupStepKind::ValidateBundle,
        "Validate target bundle exists before remove",
        [("mode", "remove".to_string())],
    )];

    if targets.is_empty() {
        steps.push(step(
            SetupStepKind::NoOp,
            "No remove targets selected",
            [("reason", "empty_remove_targets".to_string())],
        ));
    }
    if targets.contains(&RemoveTarget::Packs) {
        if request.packs_remove.is_empty() {
            steps.push(step(
                SetupStepKind::NoOp,
                "packs target selected without pack identifiers",
                [("reason", "empty_packs_remove".to_string())],
            ));
        } else {
            steps.push(step(
                SetupStepKind::AddPacksToBundle,
                "Delete pack files/default links from bundle",
                [("count", request.packs_remove.len().to_string())],
            ));
        }
    }
    if targets.contains(&RemoveTarget::Providers) {
        if request.providers_remove.is_empty() {
            steps.push(step(
                SetupStepKind::NoOp,
                "providers target selected without provider ids",
                [("reason", "empty_providers_remove".to_string())],
            ));
        } else {
            steps.push(step(
                SetupStepKind::ApplyPackSetup,
                "Remove provider entries from providers/providers.json",
                [("count", request.providers_remove.len().to_string())],
            ));
        }
    }
    if targets.contains(&RemoveTarget::TenantsTeams) {
        if request.tenants_remove.is_empty() {
            steps.push(step(
                SetupStepKind::NoOp,
                "tenants_teams target selected without tenant/team ids",
                [("reason", "empty_tenants_remove".to_string())],
            ));
        } else {
            steps.push(step(
                SetupStepKind::WriteGmapRules,
                "Delete tenant/team directories and access rules",
                [("count", request.tenants_remove.len().to_string())],
            ));
            steps.push(step(
                SetupStepKind::RunResolver,
                "Run resolver pipeline after tenant/team removals",
                [("resolver", "project::sync_project".to_string())],
            ));
            steps.push(step(
                SetupStepKind::CopyResolvedManifest,
                "Copy state/resolved manifests into resolved/ for demo start",
                [("targets", tenants.len().to_string())],
            ));
        }
    }
    steps.push(step(
        SetupStepKind::ValidateBundle,
        "Validate bundle is loadable by internal demo pipeline",
        [("check", "resolved manifests present".to_string())],
    ));

    Ok(SetupPlan {
        mode: SetupMode::Remove.as_str().to_string(),
        dry_run,
        bundle: request.bundle.clone(),
        steps,
        metadata: SetupPlanMetadata {
            bundle_name: request.bundle_name.clone(),
            pack_refs: Vec::new(),
            tenants,
            default_assignments: request.default_assignments.clone(),
            providers: request.providers.clone(),
            update_ops: request.update_ops.clone(),
            remove_targets: targets,
            packs_remove: request.packs_remove.clone(),
            providers_remove: request.providers_remove.clone(),
            tenants_remove: request.tenants_remove.clone(),
            access_changes: request.access_changes.clone(),
            static_routes: request.static_routes.clone(),
            deployment_targets: request.deployment_targets.clone(),
            setup_answers: request.setup_answers.clone(),
        },
    })
}

/// Print a human-readable plan summary.
pub fn print_plan_summary(plan: &SetupPlan) {
    println!("wizard plan: mode={} dry_run={}", plan.mode, plan.dry_run);
    println!("bundle: {}", plan.bundle.display());
    let noop_count = plan
        .steps
        .iter()
        .filter(|s| s.kind == SetupStepKind::NoOp)
        .count();
    if noop_count > 0 {
        println!("no-op steps: {noop_count}");
    }
    for (index, s) in plan.steps.iter().enumerate() {
        println!("{}. {}", index + 1, s.description);
    }
}

// ── Helpers ─────────────────────────────────────────────────────────────────

fn dedup_sorted(refs: &[String]) -> Vec<String> {
    let mut v: Vec<String> = refs
        .iter()
        .map(|r| r.trim().to_string())
        .filter(|r| !r.is_empty())
        .collect();
    v.sort();
    v.dedup();
    v
}

fn normalize_tenants(tenants: &[TenantSelection]) -> Vec<TenantSelection> {
    let mut result: Vec<TenantSelection> = tenants
        .iter()
        .map(|t| {
            let mut t = t.clone();
            t.allow_paths.sort();
            t.allow_paths.dedup();
            t
        })
        .collect();
    result.sort_by(|a, b| {
        a.tenant
            .cmp(&b.tenant)
            .then_with(|| a.team.cmp(&b.team))
            .then_with(|| a.allow_paths.cmp(&b.allow_paths))
    });
    result
}

fn infer_update_ops(
    ops: &mut BTreeSet<UpdateOp>,
    pack_refs: &[String],
    request: &SetupRequest,
    tenants: &[TenantSelection],
) {
    if !pack_refs.is_empty() {
        ops.insert(UpdateOp::PacksAdd);
    }
    if !request.providers.is_empty() {
        ops.insert(UpdateOp::ProvidersAdd);
    }
    if !request.providers_remove.is_empty() {
        ops.insert(UpdateOp::ProvidersRemove);
    }
    if !request.packs_remove.is_empty() {
        ops.insert(UpdateOp::PacksRemove);
    }
    if !tenants.is_empty() {
        ops.insert(UpdateOp::TenantsAdd);
    }
    if !request.tenants_remove.is_empty() {
        ops.insert(UpdateOp::TenantsRemove);
    }
    if !request.access_changes.is_empty() || tenants.iter().any(|t| !t.allow_paths.is_empty()) {
        ops.insert(UpdateOp::AccessChange);
    }
}

fn build_metadata(
    request: &SetupRequest,
    pack_refs: Vec<String>,
    tenants: Vec<TenantSelection>,
) -> SetupPlanMetadata {
    SetupPlanMetadata {
        bundle_name: request.bundle_name.clone(),
        pack_refs,
        tenants,
        default_assignments: request.default_assignments.clone(),
        providers: request.providers.clone(),
        update_ops: request.update_ops.clone(),
        remove_targets: request.remove_targets.clone(),
        packs_remove: request.packs_remove.clone(),
        providers_remove: request.providers_remove.clone(),
        tenants_remove: request.tenants_remove.clone(),
        access_changes: request.access_changes.clone(),
        static_routes: request.static_routes.clone(),
        deployment_targets: request.deployment_targets.clone(),
        setup_answers: request.setup_answers.clone(),
    }
}

fn build_metadata_with_ops(
    request: &SetupRequest,
    pack_refs: Vec<String>,
    tenants: Vec<TenantSelection>,
    ops: BTreeSet<UpdateOp>,
) -> SetupPlanMetadata {
    let mut meta = build_metadata(request, pack_refs, tenants);
    meta.update_ops = ops;
    meta
}

/// Compute a simple hash for a string (used for digest placeholders).
fn compute_simple_hash(input: &str) -> String {
    use std::collections::hash_map::DefaultHasher;
    use std::hash::{Hash, Hasher};

    let mut hasher = DefaultHasher::new();
    input.hash(&mut hasher);
    format!("{:016x}", hasher.finish())
}

#[cfg(test)]
mod tests {
    use super::*;
    use crate::bundle;
    use crate::platform_setup::static_routes_artifact_path;
    use serde_json::json;

    fn empty_request(bundle: PathBuf) -> SetupRequest {
        SetupRequest {
            bundle,
            bundle_name: None,
            pack_refs: Vec::new(),
            tenants: vec![TenantSelection {
                tenant: "demo".to_string(),
                team: Some("default".to_string()),
                allow_paths: vec!["packs/default".to_string()],
            }],
            default_assignments: Vec::new(),
            providers: Vec::new(),
            update_ops: BTreeSet::new(),
            remove_targets: BTreeSet::new(),
            packs_remove: Vec::new(),
            providers_remove: Vec::new(),
            tenants_remove: Vec::new(),
            access_changes: Vec::new(),
            static_routes: StaticRoutesPolicy::default(),
            setup_answers: serde_json::Map::new(),
            ..Default::default()
        }
    }

    #[test]
    fn create_plan_is_deterministic() {
        let req = SetupRequest {
            bundle: PathBuf::from("bundle"),
            bundle_name: None,
            pack_refs: vec![
                "repo://zeta/pack@1".to_string(),
                "repo://alpha/pack@1".to_string(),
                "repo://alpha/pack@1".to_string(),
            ],
            tenants: vec![
                TenantSelection {
                    tenant: "demo".to_string(),
                    team: Some("default".to_string()),
                    allow_paths: vec!["pack/b".to_string(), "pack/a".to_string()],
                },
                TenantSelection {
                    tenant: "alpha".to_string(),
                    team: None,
                    allow_paths: vec!["x".to_string()],
                },
            ],
            default_assignments: Vec::new(),
            providers: Vec::new(),
            update_ops: BTreeSet::new(),
            remove_targets: BTreeSet::new(),
            packs_remove: Vec::new(),
            providers_remove: Vec::new(),
            tenants_remove: Vec::new(),
            access_changes: Vec::new(),
            static_routes: StaticRoutesPolicy::default(),
            setup_answers: serde_json::Map::new(),
            ..Default::default()
        };
        let plan = apply_create(&req, true).unwrap();
        assert_eq!(
            plan.metadata.pack_refs,
            vec![
                "repo://alpha/pack@1".to_string(),
                "repo://zeta/pack@1".to_string()
            ]
        );
        assert_eq!(plan.metadata.tenants[0].tenant, "alpha");
        assert_eq!(
            plan.metadata.tenants[1].allow_paths,
            vec!["pack/a".to_string(), "pack/b".to_string()]
        );
    }

    #[test]
    fn dry_run_does_not_create_files() {
        let bundle = PathBuf::from("/tmp/nonexistent-bundle");
        let req = empty_request(bundle.clone());
        let _plan = apply_create(&req, true).unwrap();
        assert!(!bundle.exists());
    }

    #[test]
    fn create_requires_tenants() {
        let req = SetupRequest {
            tenants: vec![],
            ..empty_request(PathBuf::from("x"))
        };
        assert!(apply_create(&req, true).is_err());
    }

    #[test]
    fn load_answers_reads_platform_setup_and_provider_answers() {
        let temp = tempfile::tempdir().unwrap();
        let answers_path = temp.path().join("answers.yaml");
        std::fs::write(
            &answers_path,
            r#"
bundle_source: ./bundle
env: prod
platform_setup:
  static_routes:
    public_web_enabled: true
    public_base_url: https://example.com/base/
  deployment_targets:
    - target: aws
      provider_pack: packs/aws.gtpack
      default: true
setup_answers:
  messaging-webchat:
    jwt_signing_key: abc
"#,
        )
        .unwrap();

        let engine = SetupEngine::new(SetupConfig {
            tenant: "demo".into(),
            team: None,
            env: "prod".into(),
            offline: false,
            verbose: false,
        });
        let loaded = engine.load_answers(&answers_path, None, false).unwrap();
        assert_eq!(
            loaded
                .platform_setup
                .static_routes
                .as_ref()
                .and_then(|v| v.public_base_url.as_deref()),
            Some("https://example.com/base/")
        );
        assert_eq!(
            loaded
                .setup_answers
                .get("messaging-webchat")
                .and_then(|v| v.get("jwt_signing_key"))
                .and_then(Value::as_str),
            Some("abc")
        );
        assert_eq!(loaded.platform_setup.deployment_targets.len(), 1);
        assert_eq!(loaded.platform_setup.deployment_targets[0].target, "aws");
    }

    #[test]
    fn emit_answers_includes_platform_setup() {
        let temp = tempfile::tempdir().unwrap();
        let bundle_root = temp.path().join("bundle");
        bundle::create_demo_bundle_structure(&bundle_root, Some("demo")).unwrap();

        let engine = SetupEngine::new(SetupConfig {
            tenant: "demo".into(),
            team: None,
            env: "prod".into(),
            offline: false,
            verbose: false,
        });
        let request = SetupRequest {
            bundle: bundle_root.clone(),
            tenants: vec![TenantSelection {
                tenant: "demo".into(),
                team: None,
                allow_paths: Vec::new(),
            }],
            static_routes: StaticRoutesPolicy {
                public_web_enabled: true,
                public_base_url: Some("https://example.com".into()),
                public_surface_policy: "enabled".into(),
                default_route_prefix_policy: "pack_declared".into(),
                tenant_path_policy: "pack_declared".into(),
                ..StaticRoutesPolicy::default()
            },
            ..Default::default()
        };
        let plan = engine.plan(SetupMode::Create, &request, true).unwrap();
        let output = temp.path().join("answers.json");
        engine.emit_answers(&plan, &output, None, false).unwrap();
        let emitted: Value =
            serde_json::from_str(&std::fs::read_to_string(output).unwrap()).unwrap();
        assert_eq!(
            emitted["platform_setup"]["static_routes"]["public_base_url"],
            json!("https://example.com")
        );
        assert_eq!(emitted["platform_setup"]["deployment_targets"], json!([]));
    }

    #[test]
    fn emit_answers_falls_back_to_runtime_public_endpoint() {
        let temp = tempfile::tempdir().unwrap();
        let bundle_root = temp.path().join("bundle");
        bundle::create_demo_bundle_structure(&bundle_root, Some("demo")).unwrap();
        let runtime_dir = bundle_root
            .join("state")
            .join("runtime")
            .join("demo.default");
        std::fs::create_dir_all(&runtime_dir).unwrap();
        std::fs::write(
            runtime_dir.join("endpoints.json"),
            r#"{"tenant":"demo","team":"default","public_base_url":"https://runtime.example.com"}"#,
        )
        .unwrap();

        let engine = SetupEngine::new(SetupConfig {
            tenant: "demo".into(),
            team: Some("default".into()),
            env: "prod".into(),
            offline: false,
            verbose: false,
        });
        let request = SetupRequest {
            bundle: bundle_root.clone(),
            tenants: vec![TenantSelection {
                tenant: "demo".into(),
                team: Some("default".into()),
                allow_paths: Vec::new(),
            }],
            ..Default::default()
        };
        let plan = engine.plan(SetupMode::Create, &request, true).unwrap();
        let output = temp.path().join("answers-runtime.json");
        engine.emit_answers(&plan, &output, None, false).unwrap();
        let emitted: Value =
            serde_json::from_str(&std::fs::read_to_string(output).unwrap()).unwrap();
        assert_eq!(
            emitted["platform_setup"]["static_routes"]["public_base_url"],
            json!("https://runtime.example.com")
        );
    }

    #[test]
    fn execute_persists_static_routes_artifact() {
        let temp = tempfile::tempdir().unwrap();
        let bundle_root = temp.path().join("bundle");
        bundle::create_demo_bundle_structure(&bundle_root, Some("demo")).unwrap();

        let engine = SetupEngine::new(SetupConfig {
            tenant: "demo".into(),
            team: None,
            env: "prod".into(),
            offline: false,
            verbose: false,
        });
        let mut metadata = build_metadata(&empty_request(bundle_root.clone()), Vec::new(), vec![]);
        metadata.static_routes = StaticRoutesPolicy {
            public_web_enabled: true,
            public_base_url: Some("https://example.com".into()),
            public_surface_policy: "enabled".into(),
            default_route_prefix_policy: "pack_declared".into(),
            tenant_path_policy: "pack_declared".into(),
            ..StaticRoutesPolicy::default()
        };

        engine
            .execute_apply_pack_setup(&bundle_root, &metadata)
            .unwrap();
        let artifact = static_routes_artifact_path(&bundle_root);
        assert!(artifact.exists());
        let stored: Value =
            serde_json::from_str(&std::fs::read_to_string(artifact).unwrap()).unwrap();
        assert_eq!(stored["public_web_enabled"], json!(true));
    }

    #[test]
    fn remove_execute_deletes_provider_artifact_and_config_dir() {
        let temp = tempfile::tempdir().unwrap();
        let bundle_root = temp.path().join("bundle");
        bundle::create_demo_bundle_structure(&bundle_root, Some("demo")).unwrap();
        let provider_dir = bundle_root.join("providers").join("messaging");
        std::fs::create_dir_all(&provider_dir).unwrap();
        let provider_pack = provider_dir.join("messaging-webchat.gtpack");
        std::fs::copy(
            bundle_root.join("packs").join("default.gtpack"),
            &provider_pack,
        )
        .unwrap();
        let config_dir = bundle_root
            .join("state")
            .join("config")
            .join("messaging-webchat");
        std::fs::create_dir_all(&config_dir).unwrap();
        std::fs::write(config_dir.join("setup-answers.json"), "{}").unwrap();

        let engine = SetupEngine::new(SetupConfig {
            tenant: "demo".into(),
            team: None,
            env: "prod".into(),
            offline: false,
            verbose: false,
        });
        let request = SetupRequest {
            bundle: bundle_root.clone(),
            providers_remove: vec!["messaging-webchat".into()],
            ..Default::default()
        };
        let plan = engine.plan(SetupMode::Remove, &request, false).unwrap();
        engine.execute(&plan).unwrap();

        assert!(!provider_pack.exists());
        assert!(!config_dir.exists());
    }

    #[test]
    fn update_plan_preserves_static_routes_policy() {
        let req = SetupRequest {
            bundle: PathBuf::from("bundle"),
            tenants: vec![TenantSelection {
                tenant: "demo".into(),
                team: None,
                allow_paths: Vec::new(),
            }],
            static_routes: StaticRoutesPolicy {
                public_web_enabled: true,
                public_base_url: Some("https://example.com/new".into()),
                public_surface_policy: "enabled".into(),
                default_route_prefix_policy: "pack_declared".into(),
                tenant_path_policy: "pack_declared".into(),
                ..StaticRoutesPolicy::default()
            },
            ..Default::default()
        };
        let plan = apply_update(&req, true).unwrap();
        assert_eq!(
            plan.metadata.static_routes.public_base_url.as_deref(),
            Some("https://example.com/new")
        );
    }
}