hashtree_cli/

config.rs

use anyhow::{Context, Result};
use nostr::nips::nip19::{FromBech32, ToBech32};
use nostr::{Keys, SecretKey};
use serde::{Deserialize, Serialize};
use std::fs;

#[derive(Debug, Clone, Default, Serialize, Deserialize)]
pub struct Config {
    #[serde(default)]
    pub server: ServerConfig,
    #[serde(default)]
    pub storage: StorageConfig,
    #[serde(default)]
    pub nostr: NostrConfig,
    #[serde(default)]
    pub blossom: BlossomConfig,
    #[serde(default)]
    pub sync: SyncConfig,
    #[serde(default)]
    pub cashu: CashuConfig,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct ServerConfig {
    #[serde(default = "default_bind_address")]
    pub bind_address: String,
    #[serde(default = "default_enable_auth")]
    pub enable_auth: bool,
    /// Port for the built-in STUN server (0 = disabled)
    #[serde(default = "default_stun_port")]
    pub stun_port: u16,
    /// Enable WebRTC P2P connections
    #[serde(default = "default_enable_webrtc")]
    pub enable_webrtc: bool,
    /// Allow anyone with valid Nostr auth to write (default: true)
    /// When false, only social graph members can write
    #[serde(default = "default_public_writes")]
    pub public_writes: bool,
    /// Allow public access to social graph snapshot endpoint (default: false)
    #[serde(default = "default_socialgraph_snapshot_public")]
    pub socialgraph_snapshot_public: bool,
}

fn default_public_writes() -> bool {
    true
}

fn default_socialgraph_snapshot_public() -> bool {
    false
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct StorageConfig {
    #[serde(default = "default_data_dir")]
    pub data_dir: String,
    #[serde(default = "default_max_size_gb")]
    pub max_size_gb: u64,
    /// Optional S3/R2 backend for blob storage
    #[serde(default)]
    pub s3: Option<S3Config>,
}

/// S3-compatible storage configuration (works with AWS S3, Cloudflare R2, MinIO, etc.)
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct S3Config {
    /// S3 endpoint URL (e.g., "https://<account_id>.r2.cloudflarestorage.com" for R2)
    pub endpoint: String,
    /// S3 bucket name
    pub bucket: String,
    /// Optional key prefix for all blobs (e.g., "blobs/")
    #[serde(default)]
    pub prefix: Option<String>,
    /// AWS region (use "auto" for R2)
    #[serde(default = "default_s3_region")]
    pub region: String,
    /// Access key ID (can also be set via AWS_ACCESS_KEY_ID env var)
    #[serde(default)]
    pub access_key: Option<String>,
    /// Secret access key (can also be set via AWS_SECRET_ACCESS_KEY env var)
    #[serde(default)]
    pub secret_key: Option<String>,
    /// Public URL for serving blobs (optional, for generating public URLs)
    #[serde(default)]
    pub public_url: Option<String>,
}

fn default_s3_region() -> String {
    "auto".to_string()
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct NostrConfig {
    #[serde(default = "default_relays")]
    pub relays: Vec<String>,
    /// List of npubs allowed to write (blossom uploads). If empty, uses public_writes setting.
    #[serde(default)]
    pub allowed_npubs: Vec<String>,
    /// Social graph root pubkey (npub). Defaults to own key if not set.
    #[serde(default)]
    pub socialgraph_root: Option<String>,
    /// How many hops to crawl the follow graph (default: 2)
    #[serde(default = "default_crawl_depth")]
    pub crawl_depth: u32,
    /// Max follow distance for write access (default: 3)
    #[serde(default = "default_max_write_distance")]
    pub max_write_distance: u32,
    /// Max size for the trusted social graph store in GB (default: 10)
    #[serde(default = "default_nostr_db_max_size_gb")]
    pub db_max_size_gb: u64,
    /// Max size for the social graph spambox in GB (default: 1)
    /// Set to 0 for memory-only spambox (no on-disk DB)
    #[serde(default = "default_nostr_spambox_max_size_gb")]
    pub spambox_max_size_gb: u64,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct BlossomConfig {
    /// File servers for push/pull (legacy, both read and write)
    #[serde(default)]
    pub servers: Vec<String>,
    /// Read-only file servers (fallback for fetching content)
    #[serde(default = "default_read_servers")]
    pub read_servers: Vec<String>,
    /// Write-enabled file servers (for uploading)
    #[serde(default = "default_write_servers")]
    pub write_servers: Vec<String>,
    /// Maximum upload size in MB (default: 5)
    #[serde(default = "default_max_upload_mb")]
    pub max_upload_mb: u64,
}

// Keep in sync with hashtree-config/src/lib.rs
fn default_read_servers() -> Vec<String> {
    vec![
        "https://cdn.iris.to".to_string(),
        "https://hashtree.iris.to".to_string(),
    ]
}

fn default_write_servers() -> Vec<String> {
    vec!["https://upload.iris.to".to_string()]
}

fn default_max_upload_mb() -> u64 {
    5
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct SyncConfig {
    /// Enable background sync (auto-pull trees)
    #[serde(default = "default_sync_enabled")]
    pub enabled: bool,
    /// Sync own trees (subscribed via Nostr)
    #[serde(default = "default_sync_own")]
    pub sync_own: bool,
    /// Sync followed users' public trees
    #[serde(default = "default_sync_followed")]
    pub sync_followed: bool,
    /// Max concurrent sync tasks
    #[serde(default = "default_max_concurrent")]
    pub max_concurrent: usize,
    /// WebRTC request timeout in milliseconds
    #[serde(default = "default_webrtc_timeout_ms")]
    pub webrtc_timeout_ms: u64,
    /// Blossom request timeout in milliseconds
    #[serde(default = "default_blossom_timeout_ms")]
    pub blossom_timeout_ms: u64,
}

#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct CashuConfig {
    /// Cashu mint base URLs we accept for bandwidth incentives.
    #[serde(default)]
    pub accepted_mints: Vec<String>,
    /// Default mint to use for wallet operations.
    #[serde(default)]
    pub default_mint: Option<String>,
    /// Default post-delivery payment offer for quoted retrievals.
    #[serde(default = "default_cashu_quote_payment_offer_sat")]
    pub quote_payment_offer_sat: u64,
    /// Quote validity window in milliseconds.
    #[serde(default = "default_cashu_quote_ttl_ms")]
    pub quote_ttl_ms: u32,
    /// Maximum time to wait for post-delivery settlement before recording a default.
    #[serde(default = "default_cashu_settlement_timeout_ms")]
    pub settlement_timeout_ms: u64,
    /// Block mints whose failed redemptions keep outnumbering successful redemptions.
    #[serde(default = "default_cashu_mint_failure_block_threshold")]
    pub mint_failure_block_threshold: u64,
    /// Base cap for trying a peer-suggested mint we do not already trust.
    #[serde(default = "default_cashu_peer_suggested_mint_base_cap_sat")]
    pub peer_suggested_mint_base_cap_sat: u64,
    /// Additional cap granted per successful delivery from that peer.
    #[serde(default = "default_cashu_peer_suggested_mint_success_step_sat")]
    pub peer_suggested_mint_success_step_sat: u64,
    /// Additional cap granted per settled payment received from that peer.
    #[serde(default = "default_cashu_peer_suggested_mint_receipt_step_sat")]
    pub peer_suggested_mint_receipt_step_sat: u64,
    /// Hard ceiling for untrusted peer-suggested mint exposure.
    #[serde(default = "default_cashu_peer_suggested_mint_max_cap_sat")]
    pub peer_suggested_mint_max_cap_sat: u64,
    /// Block serving peers whose unpaid defaults reach this threshold.
    #[serde(default)]
    pub payment_default_block_threshold: u64,
    /// Target chunk size for quoted paid delivery.
    #[serde(default = "default_cashu_chunk_target_bytes")]
    pub chunk_target_bytes: usize,
}

impl Default for CashuConfig {
    fn default() -> Self {
        Self {
            accepted_mints: Vec::new(),
            default_mint: None,
            quote_payment_offer_sat: default_cashu_quote_payment_offer_sat(),
            quote_ttl_ms: default_cashu_quote_ttl_ms(),
            settlement_timeout_ms: default_cashu_settlement_timeout_ms(),
            mint_failure_block_threshold: default_cashu_mint_failure_block_threshold(),
            peer_suggested_mint_base_cap_sat: default_cashu_peer_suggested_mint_base_cap_sat(),
            peer_suggested_mint_success_step_sat:
                default_cashu_peer_suggested_mint_success_step_sat(),
            peer_suggested_mint_receipt_step_sat:
                default_cashu_peer_suggested_mint_receipt_step_sat(),
            peer_suggested_mint_max_cap_sat: default_cashu_peer_suggested_mint_max_cap_sat(),
            payment_default_block_threshold: 0,
            chunk_target_bytes: default_cashu_chunk_target_bytes(),
        }
    }
}

fn default_cashu_quote_payment_offer_sat() -> u64 {
    3
}

fn default_cashu_quote_ttl_ms() -> u32 {
    1_500
}

fn default_cashu_settlement_timeout_ms() -> u64 {
    5_000
}

fn default_cashu_mint_failure_block_threshold() -> u64 {
    2
}

fn default_cashu_peer_suggested_mint_base_cap_sat() -> u64 {
    3
}

fn default_cashu_peer_suggested_mint_success_step_sat() -> u64 {
    1
}

fn default_cashu_peer_suggested_mint_receipt_step_sat() -> u64 {
    2
}

fn default_cashu_peer_suggested_mint_max_cap_sat() -> u64 {
    21
}

fn default_cashu_chunk_target_bytes() -> usize {
    32 * 1024
}

fn default_sync_enabled() -> bool {
    true
}

fn default_sync_own() -> bool {
    true
}

fn default_sync_followed() -> bool {
    true
}

fn default_max_concurrent() -> usize {
    3
}

fn default_webrtc_timeout_ms() -> u64 {
    2000
}

fn default_blossom_timeout_ms() -> u64 {
    10000
}

fn default_crawl_depth() -> u32 {
    2
}

fn default_max_write_distance() -> u32 {
    3
}

fn default_nostr_db_max_size_gb() -> u64 {
    10
}

fn default_nostr_spambox_max_size_gb() -> u64 {
    1
}

fn default_relays() -> Vec<String> {
    vec![
        "wss://relay.damus.io".to_string(),
        "wss://relay.snort.social".to_string(),
        "wss://nos.lol".to_string(),
        "wss://temp.iris.to".to_string(),
    ]
}

fn default_bind_address() -> String {
    "127.0.0.1:8080".to_string()
}

fn default_enable_auth() -> bool {
    true
}

fn default_stun_port() -> u16 {
    3478 // Standard STUN port (RFC 5389)
}

fn default_enable_webrtc() -> bool {
    true
}

fn default_data_dir() -> String {
    hashtree_config::get_hashtree_dir()
        .join("data")
        .to_string_lossy()
        .to_string()
}

fn default_max_size_gb() -> u64 {
    10
}

impl Default for ServerConfig {
    fn default() -> Self {
        Self {
            bind_address: default_bind_address(),
            enable_auth: default_enable_auth(),
            stun_port: default_stun_port(),
            enable_webrtc: default_enable_webrtc(),
            public_writes: default_public_writes(),
            socialgraph_snapshot_public: default_socialgraph_snapshot_public(),
        }
    }
}

impl Default for StorageConfig {
    fn default() -> Self {
        Self {
            data_dir: default_data_dir(),
            max_size_gb: default_max_size_gb(),
            s3: None,
        }
    }
}

impl Default for NostrConfig {
    fn default() -> Self {
        Self {
            relays: default_relays(),
            allowed_npubs: Vec::new(),
            socialgraph_root: None,
            crawl_depth: default_crawl_depth(),
            max_write_distance: default_max_write_distance(),
            db_max_size_gb: default_nostr_db_max_size_gb(),
            spambox_max_size_gb: default_nostr_spambox_max_size_gb(),
        }
    }
}

impl Default for BlossomConfig {
    fn default() -> Self {
        Self {
            servers: Vec::new(),
            read_servers: default_read_servers(),
            write_servers: default_write_servers(),
            max_upload_mb: default_max_upload_mb(),
        }
    }
}

impl Default for SyncConfig {
    fn default() -> Self {
        Self {
            enabled: default_sync_enabled(),
            sync_own: default_sync_own(),
            sync_followed: default_sync_followed(),
            max_concurrent: default_max_concurrent(),
            webrtc_timeout_ms: default_webrtc_timeout_ms(),
            blossom_timeout_ms: default_blossom_timeout_ms(),
        }
    }
}

impl Config {
    /// Load config from file, or create default if doesn't exist
    pub fn load() -> Result<Self> {
        let config_path = get_config_path();

        if config_path.exists() {
            let content = fs::read_to_string(&config_path).context("Failed to read config file")?;
            toml::from_str(&content).context("Failed to parse config file")
        } else {
            let config = Config::default();
            config.save()?;
            Ok(config)
        }
    }

    /// Save config to file
    pub fn save(&self) -> Result<()> {
        let config_path = get_config_path();

        // Ensure parent directory exists
        if let Some(parent) = config_path.parent() {
            fs::create_dir_all(parent)?;
        }

        let content = toml::to_string_pretty(self)?;
        fs::write(&config_path, content)?;

        Ok(())
    }
}

// Re-export path functions from hashtree_config
pub use hashtree_config::{get_auth_cookie_path, get_config_path, get_hashtree_dir, get_keys_path};

/// Generate and save auth cookie if it doesn't exist
pub fn ensure_auth_cookie() -> Result<(String, String)> {
    let cookie_path = get_auth_cookie_path();

    if cookie_path.exists() {
        read_auth_cookie()
    } else {
        generate_auth_cookie()
    }
}

/// Read existing auth cookie
pub fn read_auth_cookie() -> Result<(String, String)> {
    let cookie_path = get_auth_cookie_path();
    let content = fs::read_to_string(&cookie_path).context("Failed to read auth cookie")?;

    let parts: Vec<&str> = content.trim().split(':').collect();
    if parts.len() != 2 {
        anyhow::bail!("Invalid auth cookie format");
    }

    Ok((parts[0].to_string(), parts[1].to_string()))
}

/// Ensure keys file exists, generating one if not present
/// Returns (Keys, was_generated)
pub fn ensure_keys() -> Result<(Keys, bool)> {
    let keys_path = get_keys_path();

    if keys_path.exists() {
        let content = fs::read_to_string(&keys_path).context("Failed to read keys file")?;
        let entries = hashtree_config::parse_keys_file(&content);
        let nsec_str = entries
            .into_iter()
            .next()
            .map(|e| e.secret)
            .context("Keys file is empty")?;
        let secret_key = SecretKey::from_bech32(&nsec_str).context("Invalid nsec format")?;
        let keys = Keys::new(secret_key);
        Ok((keys, false))
    } else {
        let keys = generate_keys()?;
        Ok((keys, true))
    }
}

/// Read existing keys
pub fn read_keys() -> Result<Keys> {
    let keys_path = get_keys_path();
    let content = fs::read_to_string(&keys_path).context("Failed to read keys file")?;
    let entries = hashtree_config::parse_keys_file(&content);
    let nsec_str = entries
        .into_iter()
        .next()
        .map(|e| e.secret)
        .context("Keys file is empty")?;
    let secret_key = SecretKey::from_bech32(&nsec_str).context("Invalid nsec format")?;
    Ok(Keys::new(secret_key))
}

/// Get nsec string, ensuring keys file exists (generate if needed)
/// Returns (nsec_string, was_generated)
pub fn ensure_keys_string() -> Result<(String, bool)> {
    let keys_path = get_keys_path();

    if keys_path.exists() {
        let content = fs::read_to_string(&keys_path).context("Failed to read keys file")?;
        let entries = hashtree_config::parse_keys_file(&content);
        let nsec_str = entries
            .into_iter()
            .next()
            .map(|e| e.secret)
            .context("Keys file is empty")?;
        Ok((nsec_str, false))
    } else {
        let keys = generate_keys()?;
        let nsec = keys
            .secret_key()
            .to_bech32()
            .context("Failed to encode nsec")?;
        Ok((nsec, true))
    }
}

/// Generate new keys and save to file
pub fn generate_keys() -> Result<Keys> {
    let keys_path = get_keys_path();

    // Ensure parent directory exists
    if let Some(parent) = keys_path.parent() {
        fs::create_dir_all(parent)?;
    }

    // Generate new keys
    let keys = Keys::generate();
    let nsec = keys
        .secret_key()
        .to_bech32()
        .context("Failed to encode nsec")?;

    // Save to file
    fs::write(&keys_path, &nsec)?;

    // Set permissions to 0600 (owner read/write only)
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        let perms = fs::Permissions::from_mode(0o600);
        fs::set_permissions(&keys_path, perms)?;
    }

    Ok(keys)
}

/// Get 32-byte pubkey bytes from Keys.
pub fn pubkey_bytes(keys: &Keys) -> [u8; 32] {
    keys.public_key().to_bytes()
}

/// Parse npub to 32-byte pubkey
pub fn parse_npub(npub: &str) -> Result<[u8; 32]> {
    use nostr::PublicKey;
    let pk = PublicKey::from_bech32(npub).context("Invalid npub format")?;
    Ok(pk.to_bytes())
}

/// Generate new random auth cookie
pub fn generate_auth_cookie() -> Result<(String, String)> {
    use rand::Rng;

    let cookie_path = get_auth_cookie_path();

    // Ensure parent directory exists
    if let Some(parent) = cookie_path.parent() {
        fs::create_dir_all(parent)?;
    }

    // Generate random credentials
    let mut rng = rand::thread_rng();
    let username = format!("htree_{}", rng.gen::<u32>());
    let password: String = (0..32)
        .map(|_| {
            let idx = rng.gen_range(0..62);
            match idx {
                0..=25 => (b'a' + idx) as char,
                26..=51 => (b'A' + (idx - 26)) as char,
                _ => (b'0' + (idx - 52)) as char,
            }
        })
        .collect();

    // Save to file
    let content = format!("{}:{}", username, password);
    fs::write(&cookie_path, content)?;

    // Set permissions to 0600 (owner read/write only)
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        let perms = fs::Permissions::from_mode(0o600);
        fs::set_permissions(&cookie_path, perms)?;
    }

    Ok((username, password))
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::TempDir;

    #[test]
    fn test_config_default() {
        let config = Config::default();
        assert_eq!(config.server.bind_address, "127.0.0.1:8080");
        assert!(config.server.enable_auth);
        assert_eq!(config.storage.max_size_gb, 10);
        assert_eq!(config.nostr.crawl_depth, 2);
        assert_eq!(config.nostr.max_write_distance, 3);
        assert_eq!(config.nostr.db_max_size_gb, 10);
        assert_eq!(config.nostr.spambox_max_size_gb, 1);
        assert!(config.nostr.socialgraph_root.is_none());
        assert!(!config.server.socialgraph_snapshot_public);
        assert!(config.cashu.accepted_mints.is_empty());
        assert!(config.cashu.default_mint.is_none());
        assert_eq!(config.cashu.quote_payment_offer_sat, 3);
        assert_eq!(config.cashu.quote_ttl_ms, 1_500);
        assert_eq!(config.cashu.settlement_timeout_ms, 5_000);
        assert_eq!(config.cashu.mint_failure_block_threshold, 2);
        assert_eq!(config.cashu.peer_suggested_mint_base_cap_sat, 3);
        assert_eq!(config.cashu.peer_suggested_mint_success_step_sat, 1);
        assert_eq!(config.cashu.peer_suggested_mint_receipt_step_sat, 2);
        assert_eq!(config.cashu.peer_suggested_mint_max_cap_sat, 21);
        assert_eq!(config.cashu.payment_default_block_threshold, 0);
        assert_eq!(config.cashu.chunk_target_bytes, 32 * 1024);
    }

    #[test]
    fn test_nostr_config_deserialize_with_defaults() {
        let toml_str = r#"
[nostr]
relays = ["wss://relay.damus.io"]
"#;
        let config: Config = toml::from_str(toml_str).unwrap();
        assert_eq!(config.nostr.relays, vec!["wss://relay.damus.io"]);
        assert_eq!(config.nostr.crawl_depth, 2);
        assert_eq!(config.nostr.max_write_distance, 3);
        assert_eq!(config.nostr.db_max_size_gb, 10);
        assert_eq!(config.nostr.spambox_max_size_gb, 1);
        assert!(config.nostr.socialgraph_root.is_none());
    }

    #[test]
    fn test_nostr_config_deserialize_with_socialgraph() {
        let toml_str = r#"
[nostr]
relays = ["wss://relay.damus.io"]
socialgraph_root = "npub1test"
crawl_depth = 3
max_write_distance = 5
"#;
        let config: Config = toml::from_str(toml_str).unwrap();
        assert_eq!(config.nostr.socialgraph_root, Some("npub1test".to_string()));
        assert_eq!(config.nostr.crawl_depth, 3);
        assert_eq!(config.nostr.max_write_distance, 5);
        assert_eq!(config.nostr.db_max_size_gb, 10);
        assert_eq!(config.nostr.spambox_max_size_gb, 1);
    }

    #[test]
    fn test_cashu_config_deserialize_with_accepted_mints() {
        let toml_str = r#"
[cashu]
accepted_mints = ["https://mint1.example", "http://127.0.0.1:3338"]
default_mint = "https://mint1.example"
quote_payment_offer_sat = 5
quote_ttl_ms = 2500
settlement_timeout_ms = 7000
mint_failure_block_threshold = 3
peer_suggested_mint_base_cap_sat = 4
peer_suggested_mint_success_step_sat = 2
peer_suggested_mint_receipt_step_sat = 3
peer_suggested_mint_max_cap_sat = 34
payment_default_block_threshold = 2
chunk_target_bytes = 65536
"#;
        let config: Config = toml::from_str(toml_str).unwrap();
        assert_eq!(
            config.cashu.accepted_mints,
            vec![
                "https://mint1.example".to_string(),
                "http://127.0.0.1:3338".to_string()
            ]
        );
        assert_eq!(
            config.cashu.default_mint,
            Some("https://mint1.example".to_string())
        );
        assert_eq!(config.cashu.quote_payment_offer_sat, 5);
        assert_eq!(config.cashu.quote_ttl_ms, 2500);
        assert_eq!(config.cashu.settlement_timeout_ms, 7_000);
        assert_eq!(config.cashu.mint_failure_block_threshold, 3);
        assert_eq!(config.cashu.peer_suggested_mint_base_cap_sat, 4);
        assert_eq!(config.cashu.peer_suggested_mint_success_step_sat, 2);
        assert_eq!(config.cashu.peer_suggested_mint_receipt_step_sat, 3);
        assert_eq!(config.cashu.peer_suggested_mint_max_cap_sat, 34);
        assert_eq!(config.cashu.payment_default_block_threshold, 2);
        assert_eq!(config.cashu.chunk_target_bytes, 65_536);
    }

    #[test]
    fn test_auth_cookie_generation() -> Result<()> {
        let temp_dir = TempDir::new()?;

        // Mock the cookie path
        std::env::set_var("HOME", temp_dir.path());

        let (username, password) = generate_auth_cookie()?;

        assert!(username.starts_with("htree_"));
        assert_eq!(password.len(), 32);

        // Verify cookie file exists
        let cookie_path = get_auth_cookie_path();
        assert!(cookie_path.exists());

        // Verify reading works
        let (u2, p2) = read_auth_cookie()?;
        assert_eq!(username, u2);
        assert_eq!(password, p2);

        Ok(())
    }
}