void_core/support/

config.rs

//! Configuration module for void
//!
//! Manages repository and user settings stored in `.void/config.json`.

use super::error::{Result, VoidError};
use serde::{Deserialize, Serialize};
use std::collections::HashMap;
use std::path::Path;

/// Repository configuration
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
#[serde(default)]
pub struct Config {
    /// Schema version (from init)
    pub version: Option<u32>,
    /// Creation timestamp (from init)
    pub created: Option<String>,
    /// Repo secret for shard assignment (from init)
    #[serde(rename = "repoSecret")]
    pub repo_secret: Option<String>,
    /// Persistent repo UUID (from init)
    #[serde(rename = "repoId", skip_serializing_if = "Option::is_none")]
    pub repo_id: Option<String>,
    /// Human-friendly repo name (from init, derived from directory name)
    #[serde(rename = "repoName", skip_serializing_if = "Option::is_none")]
    pub repo_name: Option<String>,
    /// IPFS backend configuration
    pub ipfs: Option<IpfsConfig>,
    /// Tor daemon and onion routing configuration
    pub tor: Option<TorConfig>,
    /// User configuration
    pub user: UserConfig,
    /// Core settings
    pub core: CoreConfig,
    /// Remote configurations (name -> config)
    pub remote: HashMap<String, RemoteConfig>,
}

/// User identity configuration
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
pub struct UserConfig {
    /// User's display name
    pub name: Option<String>,
    /// User's email address
    pub email: Option<String>,
}

/// Core repository settings
#[derive(Debug, Clone, Serialize, Deserialize)]
#[serde(default)]
pub struct CoreConfig {
    /// Compression level (0-22 for zstd, default 3)
    pub compression_level: u8,
    /// Target shard size in bytes (default 100KB)
    pub target_shard_size: usize,
}

impl Default for CoreConfig {
    fn default() -> Self {
        Self {
            compression_level: 3,
            target_shard_size: 100_000,
        }
    }
}

/// IPFS backend configuration
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
#[serde(default)]
pub struct IpfsConfig {
    /// Backend type (kubo|gateway)
    pub backend: Option<String>,
    /// Kubo API URL
    #[serde(rename = "kuboApi")]
    pub kubo_api: Option<String>,
    /// Gateway URL
    pub gateway: Option<String>,
}

/// Tor integration configuration.
///
/// This controls how void routes network traffic and how it coordinates with
/// external Tor and Kubo daemons.
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
#[serde(default)]
pub struct TorConfig {
    /// Tor routing mode (off|external)
    pub mode: Option<String>,
    /// SOCKS proxy URL (e.g. socks5h://127.0.0.1:9050)
    #[serde(rename = "socksProxy")]
    pub socks_proxy: Option<String>,
    /// Tor control endpoint (host:port)
    pub control: Option<String>,
    /// Use Tor cookie authentication for control port access
    #[serde(rename = "cookieAuth")]
    pub cookie_auth: Option<bool>,
    /// Hidden service settings for exposing the P2P daemon
    #[serde(rename = "hiddenService")]
    pub hidden_service: Option<TorHiddenServiceConfig>,
    /// Kubo integration settings
    pub kubo: Option<TorKuboConfig>,
}

/// Tor hidden service configuration.
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
#[serde(default)]
pub struct TorHiddenServiceConfig {
    /// Enable hidden service publication for void P2P listener
    pub enabled: Option<bool>,
    /// Public virtual port exposed by the onion service
    #[serde(rename = "virtualPort")]
    pub virtual_port: Option<u16>,
    /// Local target endpoint (e.g. 127.0.0.1:4001)
    pub target: Option<String>,
    /// Resolved onion hostname (written by automation tooling)
    pub hostname: Option<String>,
}

/// Kubo-specific Tor integration options.
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
#[serde(default)]
pub struct TorKuboConfig {
    /// Enable Kubo Tor wiring automation
    pub enable: Option<bool>,
    /// Configure proxy environment for the Kubo service
    #[serde(rename = "setEnvProxy")]
    pub set_env_proxy: Option<bool>,
    /// Service unit name for Kubo (platform specific)
    #[serde(rename = "serviceName")]
    pub service_name: Option<String>,
}

/// Remote endpoint configuration.
///
/// A remote peer for block replication.
///
/// Stored in `.void/config.json` under the `remote` key.
/// Transitioning from SSH-based to P2P model — both fields coexist
/// during migration.
#[derive(Debug, Clone, Serialize, Deserialize, Default)]
#[serde(default)]
pub struct RemoteConfig {
    /// Remote URL (legacy — IPFS gateway or kubo API endpoint)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub url: Option<String>,
    /// SSH host (legacy — being replaced by P2P)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub host: Option<String>,
    /// SSH user (legacy)
    #[serde(skip_serializing_if = "Option::is_none")]
    pub user: Option<String>,
    /// SSH private key path (legacy)
    #[serde(rename = "keyPath", skip_serializing_if = "Option::is_none")]
    pub key_path: Option<String>,
    /// Libp2p peer multiaddr for direct P2P connection
    #[serde(rename = "peerMultiaddr", skip_serializing_if = "Option::is_none")]
    pub peer_multiaddr: Option<String>,
    /// libp2p PeerId (P2P model)
    #[serde(rename = "peerId", skip_serializing_if = "Option::is_none")]
    pub peer_id: Option<String>,
    /// Multiaddr(s) for P2P connection
    #[serde(default, skip_serializing_if = "Vec::is_empty")]
    pub addrs: Vec<String>,
    /// Optional human-readable label
    #[serde(skip_serializing_if = "Option::is_none")]
    pub label: Option<String>,
}

/// Config file path within workspace
const CONFIG_FILE: &str = "config.json";

#[derive(Debug, Clone, Copy)]
enum BasicConfigKey {
    Version,
    Created,
    RepoSecret,
    RepoId,
    RepoName,
    UserName,
    UserEmail,
    CoreCompressionLevel,
    CoreTargetShardSize,
    IpfsBackend,
    IpfsKuboApi,
    IpfsGateway,
}

impl BasicConfigKey {
    const ALL: [Self; 12] = [
        Self::Version,
        Self::Created,
        Self::RepoSecret,
        Self::RepoId,
        Self::RepoName,
        Self::UserName,
        Self::UserEmail,
        Self::CoreCompressionLevel,
        Self::CoreTargetShardSize,
        Self::IpfsBackend,
        Self::IpfsKuboApi,
        Self::IpfsGateway,
    ];

    fn parse(parts: &[&str]) -> Option<Self> {
        match parts {
            ["version"] => Some(Self::Version),
            ["created"] => Some(Self::Created),
            ["repoSecret"] => Some(Self::RepoSecret),
            ["repoId"] => Some(Self::RepoId),
            ["repoName"] => Some(Self::RepoName),
            ["user", "name"] => Some(Self::UserName),
            ["user", "email"] => Some(Self::UserEmail),
            ["core", "compression_level"] => Some(Self::CoreCompressionLevel),
            ["core", "target_shard_size"] => Some(Self::CoreTargetShardSize),
            ["ipfs", "backend"] => Some(Self::IpfsBackend),
            ["ipfs", "kuboApi"] => Some(Self::IpfsKuboApi),
            ["ipfs", "gateway"] => Some(Self::IpfsGateway),
            _ => None,
        }
    }

    fn dotted(self) -> &'static str {
        match self {
            Self::Version => "version",
            Self::Created => "created",
            Self::RepoSecret => "repoSecret",
            Self::RepoId => "repoId",
            Self::RepoName => "repoName",
            Self::UserName => "user.name",
            Self::UserEmail => "user.email",
            Self::CoreCompressionLevel => "core.compression_level",
            Self::CoreTargetShardSize => "core.target_shard_size",
            Self::IpfsBackend => "ipfs.backend",
            Self::IpfsKuboApi => "ipfs.kuboApi",
            Self::IpfsGateway => "ipfs.gateway",
        }
    }

    fn get(self, config: &Config) -> Option<String> {
        match self {
            Self::Version => config.version.map(|v| v.to_string()),
            Self::Created => config.created.clone(),
            Self::RepoSecret => config.repo_secret.clone(),
            Self::RepoId => config.repo_id.clone(),
            Self::RepoName => config.repo_name.clone(),
            Self::UserName => config.user.name.clone(),
            Self::UserEmail => config.user.email.clone(),
            Self::CoreCompressionLevel => Some(config.core.compression_level.to_string()),
            Self::CoreTargetShardSize => Some(config.core.target_shard_size.to_string()),
            Self::IpfsBackend => config.ipfs.as_ref().and_then(|c| c.backend.clone()),
            Self::IpfsKuboApi => config.ipfs.as_ref().and_then(|c| c.kubo_api.clone()),
            Self::IpfsGateway => config.ipfs.as_ref().and_then(|c| c.gateway.clone()),
        }
    }

    fn set(self, config: &mut Config, value: &str) -> Result<()> {
        match self {
            Self::Version | Self::Created | Self::RepoSecret | Self::RepoId | Self::RepoName => {
                Err(VoidError::Serialization(format!(
                    "read-only config key: {}",
                    self.dotted()
                )))
            }
            Self::UserName => {
                config.user.name = Some(value.to_string());
                Ok(())
            }
            Self::UserEmail => {
                config.user.email = Some(value.to_string());
                Ok(())
            }
            Self::CoreCompressionLevel => {
                let level: u8 = value.parse().map_err(|_| {
                    VoidError::Serialization("invalid compression_level".to_string())
                })?;
                if level > 22 {
                    return Err(VoidError::Serialization(
                        "compression_level must be 0-22".to_string(),
                    ));
                }
                config.core.compression_level = level;
                Ok(())
            }
            Self::CoreTargetShardSize => {
                config.core.target_shard_size = value.parse().map_err(|_| {
                    VoidError::Serialization("invalid target_shard_size".to_string())
                })?;
                Ok(())
            }
            Self::IpfsBackend => {
                config.ipfs.get_or_insert_with(IpfsConfig::default).backend =
                    Some(value.to_string());
                Ok(())
            }
            Self::IpfsKuboApi => {
                config.ipfs.get_or_insert_with(IpfsConfig::default).kubo_api =
                    Some(value.to_string());
                Ok(())
            }
            Self::IpfsGateway => {
                config.ipfs.get_or_insert_with(IpfsConfig::default).gateway =
                    Some(value.to_string());
                Ok(())
            }
        }
    }

    fn unset(self, config: &mut Config) -> Result<()> {
        match self {
            Self::Version | Self::Created | Self::RepoSecret | Self::RepoId | Self::RepoName => {
                Err(VoidError::Serialization(format!(
                    "read-only config key: {}",
                    self.dotted()
                )))
            }
            Self::UserName => {
                config.user.name = None;
                Ok(())
            }
            Self::UserEmail => {
                config.user.email = None;
                Ok(())
            }
            Self::CoreCompressionLevel => {
                config.core.compression_level = CoreConfig::default().compression_level;
                Ok(())
            }
            Self::CoreTargetShardSize => {
                config.core.target_shard_size = CoreConfig::default().target_shard_size;
                Ok(())
            }
            Self::IpfsBackend => {
                if let Some(ipfs) = config.ipfs.as_mut() {
                    ipfs.backend = None;
                }
                Ok(())
            }
            Self::IpfsKuboApi => {
                if let Some(ipfs) = config.ipfs.as_mut() {
                    ipfs.kubo_api = None;
                }
                Ok(())
            }
            Self::IpfsGateway => {
                if let Some(ipfs) = config.ipfs.as_mut() {
                    ipfs.gateway = None;
                }
                Ok(())
            }
        }
    }
}

/// Load config from .void/config.json
pub fn load(workspace: &Path) -> Result<Config> {
    let config_path = workspace.join(CONFIG_FILE);

    if !config_path.exists() {
        return Ok(Config::default());
    }

    let content = std::fs::read_to_string(&config_path)?;
    serde_json::from_str(&content).map_err(|e| VoidError::Serialization(e.to_string()))
}

/// Save config to .void/config.json
pub fn save(workspace: &Path, config: &Config) -> Result<()> {
    let config_path = workspace.join(CONFIG_FILE);
    let content = serde_json::to_string_pretty(config)
        .map_err(|e| VoidError::Serialization(e.to_string()))?;
    std::fs::write(&config_path, content)?;
    Ok(())
}

/// Get a config value by dotted key (e.g., "user.name", "core.compression_level")
pub fn get(workspace: &Path, key: &str) -> Result<Option<String>> {
    let config = load(workspace)?;
    Ok(get_value(&config, key))
}

/// Set a config value by dotted key
pub fn set(workspace: &Path, key: &str, value: &str) -> Result<()> {
    let mut config = load(workspace)?;
    set_value(&mut config, key, value)?;
    save(workspace, &config)
}

/// Unset a config value (set to None/default)
pub fn unset(workspace: &Path, key: &str) -> Result<()> {
    let mut config = load(workspace)?;
    unset_value(&mut config, key)?;
    save(workspace, &config)
}

/// List all config values as flat key-value pairs
pub fn list(workspace: &Path) -> Result<HashMap<String, String>> {
    let config = load(workspace)?;
    Ok(flatten_config(&config))
}

/// Get a value from config by dotted key
fn get_value(config: &Config, key: &str) -> Option<String> {
    let parts: Vec<&str> = key.split('.').collect();
    if let Some(value) = get_tor_value(config, parts.as_slice()) {
        return Some(value);
    }
    if let Some(basic_key) = BasicConfigKey::parse(parts.as_slice()) {
        return basic_key.get(config);
    }

    match parts.as_slice() {
        ["remote", name, "url"] => config.remote.get(*name).and_then(|r| r.url.clone()),
        ["remote", name, "host"] => config.remote.get(*name).and_then(|r| r.host.clone()),
        ["remote", name, "user"] => config.remote.get(*name).and_then(|r| r.user.clone()),
        ["remote", name, "keyPath"] => config.remote.get(*name).and_then(|r| r.key_path.clone()),
        ["remote", name, "peerMultiaddr"] => config.remote.get(*name).and_then(|r| r.peer_multiaddr.clone()),
        ["remote", name, "peerId"] => config.remote.get(*name).and_then(|r| r.peer_id.clone()),
        ["remote", name, "label"] => config.remote.get(*name).and_then(|r| r.label.clone()),
        _ => None,
    }
}

/// Set a value in config by dotted key
fn set_value(config: &mut Config, key: &str, value: &str) -> Result<()> {
    let parts: Vec<&str> = key.split('.').collect();
    if let Some(result) = set_tor_value(config, parts.as_slice(), value) {
        return result;
    }
    if let Some(basic_key) = BasicConfigKey::parse(parts.as_slice()) {
        return basic_key.set(config, value);
    }

    match parts.as_slice() {
        ["remote", name, "url"] => {
            config.remote.entry((*name).to_string()).or_insert_with(RemoteConfig::default).url = Some(value.to_string());
        }
        ["remote", name, "host"] => {
            config.remote.entry((*name).to_string()).or_insert_with(RemoteConfig::default).host = Some(value.to_string());
        }
        ["remote", name, "user"] => {
            config.remote.entry((*name).to_string()).or_insert_with(RemoteConfig::default).user = Some(value.to_string());
        }
        ["remote", name, "keyPath"] => {
            config.remote.entry((*name).to_string()).or_insert_with(RemoteConfig::default).key_path = Some(value.to_string());
        }
        ["remote", name, "peerMultiaddr"] => {
            config.remote.entry((*name).to_string()).or_insert_with(RemoteConfig::default).peer_multiaddr = Some(value.to_string());
        }
        ["remote", name, "peerId"] => {
            config.remote.entry((*name).to_string()).or_insert_with(RemoteConfig::default).peer_id = Some(value.to_string());
        }
        ["remote", name, "label"] => {
            config.remote.entry((*name).to_string()).or_insert_with(RemoteConfig::default).label = Some(value.to_string());
        }
        _ => {
            return Err(VoidError::Serialization(format!(
                "unknown config key: {key}"
            )));
        }
    }

    Ok(())
}

/// Unset a value in config by dotted key
fn unset_value(config: &mut Config, key: &str) -> Result<()> {
    let parts: Vec<&str> = key.split('.').collect();
    if let Some(result) = unset_tor_value(config, parts.as_slice()) {
        return result;
    }
    if let Some(basic_key) = BasicConfigKey::parse(parts.as_slice()) {
        return basic_key.unset(config);
    }

    match parts.as_slice() {
        ["remote", name, "url"] => {
            config.remote.remove(*name);
        }
        ["remote", name] => {
            config.remote.remove(*name);
        }
        _ => {
            return Err(VoidError::Serialization(format!(
                "unknown config key: {key}"
            )));
        }
    }

    Ok(())
}

/// Flatten config into key-value pairs
fn flatten_config(config: &Config) -> HashMap<String, String> {
    let mut result = HashMap::new();

    for basic_key in BasicConfigKey::ALL {
        if let Some(value) = basic_key.get(config) {
            result.insert(basic_key.dotted().to_string(), value);
        }
    }

    if let Some(tor) = &config.tor {
        flatten_tor_config(&mut result, tor);
    }

    // Remote configs
    for (name, remote) in &config.remote {
        if let Some(url) = &remote.url {
            result.insert(format!("remote.{name}.url"), url.clone());
        }
        if let Some(host) = &remote.host {
            result.insert(format!("remote.{name}.host"), host.clone());
        }
        if let Some(user) = &remote.user {
            result.insert(format!("remote.{name}.user"), user.clone());
        }
        if let Some(key_path) = &remote.key_path {
            result.insert(format!("remote.{name}.keyPath"), key_path.clone());
        }
        if let Some(peer) = &remote.peer_multiaddr {
            result.insert(format!("remote.{name}.peerMultiaddr"), peer.clone());
        }
        if let Some(peer_id) = &remote.peer_id {
            result.insert(format!("remote.{name}.peerId"), peer_id.clone());
        }
        if let Some(label) = &remote.label {
            result.insert(format!("remote.{name}.label"), label.clone());
        }
    }

    result
}

fn get_tor_value(config: &Config, parts: &[&str]) -> Option<String> {
    let tor = config.tor.as_ref()?;
    match parts {
        ["tor", "mode"] => tor.mode.clone(),
        ["tor", "socksProxy"] => tor.socks_proxy.clone(),
        ["tor", "control"] => tor.control.clone(),
        ["tor", "cookieAuth"] => tor.cookie_auth.map(|v| v.to_string()),
        ["tor", "hiddenService", "enabled"] => tor
            .hidden_service
            .as_ref()
            .and_then(|hs| hs.enabled.map(|v| v.to_string())),
        ["tor", "hiddenService", "virtualPort"] => tor
            .hidden_service
            .as_ref()
            .and_then(|hs| hs.virtual_port.map(|v| v.to_string())),
        ["tor", "hiddenService", "target"] => {
            tor.hidden_service.as_ref().and_then(|hs| hs.target.clone())
        }
        ["tor", "hiddenService", "hostname"] => tor
            .hidden_service
            .as_ref()
            .and_then(|hs| hs.hostname.clone()),
        ["tor", "kubo", "enable"] => tor
            .kubo
            .as_ref()
            .and_then(|k| k.enable.map(|v| v.to_string())),
        ["tor", "kubo", "setEnvProxy"] => tor
            .kubo
            .as_ref()
            .and_then(|k| k.set_env_proxy.map(|v| v.to_string())),
        ["tor", "kubo", "serviceName"] => tor.kubo.as_ref().and_then(|k| k.service_name.clone()),
        _ => None,
    }
}

fn set_tor_value(config: &mut Config, parts: &[&str], value: &str) -> Option<Result<()>> {
    match parts {
        ["tor", "mode"] => Some(parse_tor_mode(value).map(|mode| {
            tor_config_mut(config).mode = Some(mode);
        })),
        ["tor", "socksProxy"] => Some(Ok({
            tor_config_mut(config).socks_proxy = Some(value.to_string());
        })),
        ["tor", "control"] => Some(Ok({
            tor_config_mut(config).control = Some(value.to_string());
        })),
        ["tor", "cookieAuth"] => Some(parse_bool(value, "cookieAuth").map(|parsed| {
            tor_config_mut(config).cookie_auth = Some(parsed);
        })),
        ["tor", "hiddenService", "enabled"] => {
            Some(parse_bool(value, "hiddenService.enabled").map(|parsed| {
                tor_hidden_service_mut(config).enabled = Some(parsed);
            }))
        }
        ["tor", "hiddenService", "virtualPort"] => Some(
            value
                .parse::<u16>()
                .map_err(|_| {
                    VoidError::Serialization("invalid hiddenService.virtualPort".to_string())
                })
                .map(|parsed| {
                    tor_hidden_service_mut(config).virtual_port = Some(parsed);
                }),
        ),
        ["tor", "hiddenService", "target"] => Some(Ok({
            tor_hidden_service_mut(config).target = Some(value.to_string());
        })),
        ["tor", "hiddenService", "hostname"] => Some(Ok({
            tor_hidden_service_mut(config).hostname = Some(value.to_string());
        })),
        ["tor", "kubo", "enable"] => Some(parse_bool(value, "kubo.enable").map(|parsed| {
            tor_kubo_mut(config).enable = Some(parsed);
        })),
        ["tor", "kubo", "setEnvProxy"] => {
            Some(parse_bool(value, "kubo.setEnvProxy").map(|parsed| {
                tor_kubo_mut(config).set_env_proxy = Some(parsed);
            }))
        }
        ["tor", "kubo", "serviceName"] => Some(Ok({
            tor_kubo_mut(config).service_name = Some(value.to_string());
        })),
        _ => None,
    }
}

fn unset_tor_value(config: &mut Config, parts: &[&str]) -> Option<Result<()>> {
    match parts {
        ["tor", "mode"] => Some({
            if let Some(tor) = config.tor.as_mut() {
                tor.mode = None;
            }
            Ok(())
        }),
        ["tor", "socksProxy"] => Some({
            if let Some(tor) = config.tor.as_mut() {
                tor.socks_proxy = None;
            }
            Ok(())
        }),
        ["tor", "control"] => Some({
            if let Some(tor) = config.tor.as_mut() {
                tor.control = None;
            }
            Ok(())
        }),
        ["tor", "cookieAuth"] => Some({
            if let Some(tor) = config.tor.as_mut() {
                tor.cookie_auth = None;
            }
            Ok(())
        }),
        ["tor", "hiddenService", "enabled"] => Some({
            if let Some(hidden) = config
                .tor
                .as_mut()
                .and_then(|tor| tor.hidden_service.as_mut())
            {
                hidden.enabled = None;
            }
            Ok(())
        }),
        ["tor", "hiddenService", "virtualPort"] => Some({
            if let Some(hidden) = config
                .tor
                .as_mut()
                .and_then(|tor| tor.hidden_service.as_mut())
            {
                hidden.virtual_port = None;
            }
            Ok(())
        }),
        ["tor", "hiddenService", "target"] => Some({
            if let Some(hidden) = config
                .tor
                .as_mut()
                .and_then(|tor| tor.hidden_service.as_mut())
            {
                hidden.target = None;
            }
            Ok(())
        }),
        ["tor", "hiddenService", "hostname"] => Some({
            if let Some(hidden) = config
                .tor
                .as_mut()
                .and_then(|tor| tor.hidden_service.as_mut())
            {
                hidden.hostname = None;
            }
            Ok(())
        }),
        ["tor", "kubo", "enable"] => Some({
            if let Some(kubo) = config.tor.as_mut().and_then(|tor| tor.kubo.as_mut()) {
                kubo.enable = None;
            }
            Ok(())
        }),
        ["tor", "kubo", "setEnvProxy"] => Some({
            if let Some(kubo) = config.tor.as_mut().and_then(|tor| tor.kubo.as_mut()) {
                kubo.set_env_proxy = None;
            }
            Ok(())
        }),
        ["tor", "kubo", "serviceName"] => Some({
            if let Some(kubo) = config.tor.as_mut().and_then(|tor| tor.kubo.as_mut()) {
                kubo.service_name = None;
            }
            Ok(())
        }),
        _ => None,
    }
}

fn flatten_tor_config(result: &mut HashMap<String, String>, tor: &TorConfig) {
    if let Some(mode) = &tor.mode {
        result.insert("tor.mode".to_string(), mode.clone());
    }
    if let Some(socks_proxy) = &tor.socks_proxy {
        result.insert("tor.socksProxy".to_string(), socks_proxy.clone());
    }
    if let Some(control) = &tor.control {
        result.insert("tor.control".to_string(), control.clone());
    }
    if let Some(cookie_auth) = tor.cookie_auth {
        result.insert("tor.cookieAuth".to_string(), cookie_auth.to_string());
    }
    if let Some(hidden) = &tor.hidden_service {
        if let Some(enabled) = hidden.enabled {
            result.insert("tor.hiddenService.enabled".to_string(), enabled.to_string());
        }
        if let Some(port) = hidden.virtual_port {
            result.insert(
                "tor.hiddenService.virtualPort".to_string(),
                port.to_string(),
            );
        }
        if let Some(target) = &hidden.target {
            result.insert("tor.hiddenService.target".to_string(), target.clone());
        }
        if let Some(hostname) = &hidden.hostname {
            result.insert("tor.hiddenService.hostname".to_string(), hostname.clone());
        }
    }
    if let Some(kubo) = &tor.kubo {
        if let Some(enable) = kubo.enable {
            result.insert("tor.kubo.enable".to_string(), enable.to_string());
        }
        if let Some(set_env_proxy) = kubo.set_env_proxy {
            result.insert(
                "tor.kubo.setEnvProxy".to_string(),
                set_env_proxy.to_string(),
            );
        }
        if let Some(service_name) = &kubo.service_name {
            result.insert("tor.kubo.serviceName".to_string(), service_name.clone());
        }
    }
}

fn tor_config_mut(config: &mut Config) -> &mut TorConfig {
    config.tor.get_or_insert_with(TorConfig::default)
}

fn tor_hidden_service_mut(config: &mut Config) -> &mut TorHiddenServiceConfig {
    tor_config_mut(config)
        .hidden_service
        .get_or_insert_with(TorHiddenServiceConfig::default)
}

fn tor_kubo_mut(config: &mut Config) -> &mut TorKuboConfig {
    tor_config_mut(config)
        .kubo
        .get_or_insert_with(TorKuboConfig::default)
}

fn parse_bool(value: &str, field: &str) -> Result<bool> {
    value
        .parse()
        .map_err(|_| VoidError::Serialization(format!("invalid {field}")))
}

fn parse_tor_mode(value: &str) -> Result<String> {
    match value {
        "off" | "external" => Ok(value.to_string()),
        _ => Err(VoidError::Serialization(
            "tor.mode must be 'off' or 'external'".to_string(),
        )),
    }
}


/// Load the repo_secret from config.json, falling back to a vault-derived secret.
///
/// This centralizes the repo_secret loading pattern used by CLI and TUI.
/// When no repo_secret is configured, derives one deterministically from
/// the root key via HKDF — the raw root key is never exposed.
pub fn load_repo_secret(void_dir: &Path, vault: &void_crypto::KeyVault) -> void_crypto::CryptoResult<void_crypto::RepoSecret> {
    if let Ok(cfg) = load(void_dir) {
        if let Some(secret_hex) = cfg.repo_secret {
            if let Ok(bytes) = hex::decode(secret_hex.trim()) {
                if let Ok(arr) = <[u8; 32]>::try_from(bytes.as_slice()) {
                    return Ok(void_crypto::RepoSecret::new(arr));
                }
            }
        }
    }
    Ok(void_crypto::RepoSecret::new(*vault.repo_secret_fallback()?.as_bytes()))
}

#[cfg(test)]
mod tests {
    use super::*;
    use tempfile::tempdir;

    #[test]
    fn test_default_config() {
        let config = Config::default();
        assert!(config.version.is_none());
        assert!(config.created.is_none());
        assert!(config.repo_secret.is_none());
        assert!(config.ipfs.is_none());
        assert!(config.tor.is_none());
        assert!(config.user.name.is_none());
        assert!(config.user.email.is_none());
        assert_eq!(config.core.compression_level, 3);
        assert_eq!(config.core.target_shard_size, 100_000);
        assert!(config.remote.is_empty());
    }

    #[test]
    fn test_save_and_load() {
        let dir = tempdir().unwrap();
        let workspace = dir.path();

        let mut config = Config::default();
        config.user.name = Some("Test User".to_string());
        config.user.email = Some("test@example.com".to_string());

        save(workspace, &config).unwrap();
        let loaded = load(workspace).unwrap();

        assert_eq!(loaded.user.name, Some("Test User".to_string()));
        assert_eq!(loaded.user.email, Some("test@example.com".to_string()));
    }

    #[test]
    fn test_get_set() {
        let dir = tempdir().unwrap();
        let workspace = dir.path();

        // Set and get user.name
        set(workspace, "user.name", "Alice").unwrap();
        assert_eq!(
            get(workspace, "user.name").unwrap(),
            Some("Alice".to_string())
        );

        // Set and get core.compression_level
        set(workspace, "core.compression_level", "5").unwrap();
        assert_eq!(
            get(workspace, "core.compression_level").unwrap(),
            Some("5".to_string())
        );

        // Set and get remote
        set(workspace, "remote.origin.url", "https://example.com").unwrap();
        assert_eq!(
            get(workspace, "remote.origin.url").unwrap(),
            Some("https://example.com".to_string())
        );

        // Set and get ipfs backend
        set(workspace, "ipfs.backend", "kubo").unwrap();
        assert_eq!(
            get(workspace, "ipfs.backend").unwrap(),
            Some("kubo".to_string())
        );

        // Set and get tor mode
        set(workspace, "tor.mode", "external").unwrap();
        assert_eq!(
            get(workspace, "tor.mode").unwrap(),
            Some("external".to_string())
        );

        // Set and get tor cookie auth
        set(workspace, "tor.cookieAuth", "true").unwrap();
        assert_eq!(
            get(workspace, "tor.cookieAuth").unwrap(),
            Some("true".to_string())
        );

        // Set and get tor hidden service virtual port
        set(workspace, "tor.hiddenService.virtualPort", "4001").unwrap();
        assert_eq!(
            get(workspace, "tor.hiddenService.virtualPort").unwrap(),
            Some("4001".to_string())
        );
    }

    #[test]
    fn test_unset() {
        let dir = tempdir().unwrap();
        let workspace = dir.path();

        set(workspace, "user.name", "Alice").unwrap();
        assert!(get(workspace, "user.name").unwrap().is_some());

        unset(workspace, "user.name").unwrap();
        assert!(get(workspace, "user.name").unwrap().is_none());

        set(workspace, "tor.mode", "external").unwrap();
        assert_eq!(
            get(workspace, "tor.mode").unwrap(),
            Some("external".to_string())
        );
        unset(workspace, "tor.mode").unwrap();
        assert!(get(workspace, "tor.mode").unwrap().is_none());
    }

    #[test]
    fn test_list() {
        let dir = tempdir().unwrap();
        let workspace = dir.path();

        set(workspace, "user.name", "Alice").unwrap();
        set(workspace, "user.email", "alice@example.com").unwrap();
        set(workspace, "remote.origin.url", "https://example.com").unwrap();
        set(workspace, "ipfs.gateway", "https://dweb.link").unwrap();
        set(workspace, "tor.socksProxy", "socks5h://127.0.0.1:9050").unwrap();

        let all = list(workspace).unwrap();

        assert_eq!(all.get("user.name"), Some(&"Alice".to_string()));
        assert_eq!(
            all.get("user.email"),
            Some(&"alice@example.com".to_string())
        );
        assert_eq!(
            all.get("remote.origin.url"),
            Some(&"https://example.com".to_string())
        );
        assert_eq!(
            all.get("ipfs.gateway"),
            Some(&"https://dweb.link".to_string())
        );
        assert_eq!(
            all.get("tor.socksProxy"),
            Some(&"socks5h://127.0.0.1:9050".to_string())
        );
        // Core defaults should also be present
        assert!(all.contains_key("core.compression_level"));
        assert!(all.contains_key("core.target_shard_size"));
    }

    #[test]
    fn test_invalid_key() {
        let dir = tempdir().unwrap();
        let workspace = dir.path();

        let result = set(workspace, "invalid.key", "value");
        assert!(result.is_err());
    }

    #[test]
    fn test_invalid_value() {
        let dir = tempdir().unwrap();
        let workspace = dir.path();

        let result = set(workspace, "core.compression_level", "not_a_number");
        assert!(result.is_err());
    }

    #[test]
    fn test_invalid_tor_mode() {
        let dir = tempdir().unwrap();
        let workspace = dir.path();

        let result = set(workspace, "tor.mode", "invalid");
        assert!(result.is_err());
    }
}