#!/bin/bash
# Git auth shim -- injects GITHUB_TOKEN credentials for network operations
# inside the configured OpenClaw repo so the agent can use plain git commands.

REAL_GIT_HINT="@@REAL_GIT@@"
OPENCLAW_REPO_ROOT="@@OPENCLAW_REPO_ROOT@@"
ASKPASS_PATH="/tmp/alphaclaw-git-askpass.sh"

same_path() {
  local left_path right_path
  left_path="$(readlink -f "$1" 2>/dev/null || printf '%s' "$1")"
  right_path="$(readlink -f "$2" 2>/dev/null || printf '%s' "$2")"
  [ "$left_path" = "$right_path" ]
}

resolve_real_git() {
  local self_path candidate
  self_path="$(readlink -f "$0" 2>/dev/null || printf '%s' "$0")"
  for candidate in \
    "${ALPHACLAW_REAL_GIT:-}" \
    "$REAL_GIT_HINT" \
    "/usr/bin/git" \
    "/bin/git" \
    "/usr/libexec/git-core/git" \
    "/usr/local/bin/git.real"
  do
    [ -n "$candidate" ] || continue
    [ -x "$candidate" ] || continue
    same_path "$candidate" "$self_path" && continue
    printf '%s\n' "$candidate"
    return 0
  done

  if command -v which >/dev/null 2>&1; then
    while IFS= read -r candidate; do
      [ -n "$candidate" ] || continue
      [ -x "$candidate" ] || continue
      same_path "$candidate" "$self_path" && continue
      printf '%s\n' "$candidate"
      return 0
    done <<EOF
$(which -a git 2>/dev/null || true)
EOF
  fi

  return 1
}

canonicalize_path() {
  local target_path resolved_path
  target_path="$1"
  [ -n "$target_path" ] || return 1

  if [ -d "$target_path" ]; then
    resolved_path="$(cd "$target_path" 2>/dev/null && pwd -P)" || resolved_path=""
    if [ -n "$resolved_path" ]; then
      printf '%s\n' "$resolved_path"
      return 0
    fi
  fi

  resolved_path="$(readlink -f "$target_path" 2>/dev/null || true)"
  if [ -n "$resolved_path" ]; then
    printf '%s\n' "$resolved_path"
    return 0
  fi

  printf '%s\n' "$target_path"
}

resolve_effective_pwd() {
  local effective_pwd
  effective_pwd="$(pwd)"

  while [ "$#" -gt 0 ]; do
    case "$1" in
      -C)
        shift
        [ "$#" -gt 0 ] || break
        case "$1" in
          /*) effective_pwd="$1" ;;
          *) effective_pwd="$effective_pwd/$1" ;;
        esac
        ;;
      -c|--exec-path|--git-dir|--work-tree|--namespace|--config-env|--super-prefix|--list-cmds|--attr-source)
        shift
        [ "$#" -gt 0 ] || break
        ;;
      --exec-path=*|--git-dir=*|--work-tree=*|--namespace=*|--config-env=*|--super-prefix=*|--list-cmds=*|--attr-source=*)
        ;;
      --)
        break
        ;;
      -*)
        ;;
      *)
        break
        ;;
    esac
    shift
  done

  canonicalize_path "$effective_pwd"
}

in_openclaw_root() {
  local candidate_path resolved_repo_root resolved_candidate_path
  candidate_path="$1"
  if [ -z "$OPENCLAW_REPO_ROOT" ]; then
    return 1
  fi
  resolved_repo_root="$(canonicalize_path "$OPENCLAW_REPO_ROOT")"
  resolved_candidate_path="$(canonicalize_path "$candidate_path")"
  case "$resolved_candidate_path" in
    "$resolved_repo_root"|"${resolved_repo_root}"/*) return 0 ;;
    *) return 1 ;;
  esac
}

REAL_GIT="$(resolve_real_git || true)"
if [ -z "$REAL_GIT" ]; then
  echo "alphaclaw git shim: real git binary not found" >&2
  exit 127
fi

EFFECTIVE_PWD="$(resolve_effective_pwd "$@")"

if [ -z "${GITHUB_TOKEN:-}" ] && in_openclaw_root "$EFFECTIVE_PWD" && [ -f "$OPENCLAW_REPO_ROOT/.env" ]; then
  set -a
  . "$OPENCLAW_REPO_ROOT/.env" >/dev/null 2>&1 || true
  set +a
fi

if [ "${ALPHACLAW_GIT_NO_AUTH:-}" = "1" ] || [ -z "${GITHUB_TOKEN:-}" ] || ! in_openclaw_root "$EFFECTIVE_PWD"; then
  exec "$REAL_GIT" "$@"
fi

export GIT_TERMINAL_PROMPT=0
export GIT_ASKPASS="$ASKPASS_PATH"
exec "$REAL_GIT" "$@"
