#!/bin/bash
set -euo pipefail

# honeypot — macOS Keychain credential wrapper for Hive
#
# Stores secrets scoped to the Hive instance under service prefix "hive/<id>/".
# Also supports a cross-instance "beekeeper/<KEY>" namespace for Beekeeper-tier
# secrets (e.g. pipelines that run outside any specific Hive instance).
# The keychain MCP server (keychain-mcp-server.ts) reads these at runtime.
# Coexists with .env — either source works, Keychain is preferred for new installs.
#
# Usage:
#   honeypot set ANTHROPIC_API_KEY              # instance-scoped, prompts for value
#   honeypot set SLACK_BOT_TOKEN "xoxb-..."     # instance-scoped, inline value
#   honeypot set beekeeper/LINEAR_API_KEY       # beekeeper-tier (cross-instance)
#   honeypot set hive/dodi/SOMETHING "v"        # fully-qualified, used as-is
#   honeypot get ANTHROPIC_API_KEY              # print value
#   honeypot get beekeeper/LINEAR_API_KEY       # beekeeper-tier
#   honeypot list                               # show stored keys (no values)
#   honeypot rm ANTHROPIC_API_KEY               # delete
#   honeypot doctor                             # check required keys are present

GREEN='\033[0;32m'
RED='\033[0;31m'
YELLOW='\033[1;33m'
DIM='\033[2m'
NC='\033[0m'

# Resolve instance ID from hive.yaml
resolve_instance_id() {
  local yaml=""
  if [ -n "${HIVE_HOME:-}" ] && [ -f "${HIVE_HOME}/hive.yaml" ]; then
    yaml="${HIVE_HOME}/hive.yaml"
  elif [ -f "./hive.yaml" ]; then
    yaml="./hive.yaml"
  elif [ -f "${HOME}/.hive/hive.yaml" ]; then
    yaml="${HOME}/.hive/hive.yaml"
  fi

  if [ -n "$yaml" ]; then
    # Extract instance.id from YAML (simple grep — no yq dependency)
    local id
    id=$(grep -A5 '^instance:' "$yaml" 2>/dev/null | grep 'id:' | head -1 | sed 's/.*id: *//' | tr -d '[:space:]"'"'")
    if [ -n "$id" ]; then
      echo "$id"
      return
    fi
  fi
  echo "hive"
}

INSTANCE_ID=$(resolve_instance_id)
PREFIX="hive/${INSTANCE_ID}"

# Resolve the keychain service name (-s) and account (-a) for a given key arg.
# Sets globals: ACCOUNT_SERVICE, ACCOUNT_NAME
#
# Rules:
#   beekeeper/<KEY>      → service="beekeeper/<KEY>", account="<KEY>"
#   hive/<id>/<KEY>      → service="hive/<id>/<KEY>", account="<KEY>"
#   <KEY>                → service="hive/<instance>/<KEY>", account="<KEY>"
resolve_account() {
  local key="$1"
  if [[ "$key" == beekeeper/* ]]; then
    ACCOUNT_SERVICE="$key"
    ACCOUNT_NAME="${key#beekeeper/}"
  elif [[ "$key" == hive/*/* ]]; then
    ACCOUNT_SERVICE="$key"
    # Strip "hive/<id>/" — the bit after the second slash is the bare key.
    local rest="${key#hive/}"
    ACCOUNT_NAME="${rest#*/}"
  else
    ACCOUNT_SERVICE="${PREFIX}/${key}"
    ACCOUNT_NAME="$key"
  fi
}

cmd="${1:-help}"
shift || true

case "$cmd" in
  set)
    key="${1:-}"
    value="${2:-}"
    if [ -z "$key" ]; then
      echo "Usage: honeypot set <KEY> [value]"
      echo "       honeypot set beekeeper/<KEY> [value]"
      exit 1
    fi
    resolve_account "$key"
    if [ -z "$value" ]; then
      printf "Enter value for %s: " "$key"
      read -rs value
      echo ""
      if [ -z "$value" ]; then
        echo -e "${RED}Error:${NC} empty value"
        exit 1
      fi
    fi
    security add-generic-password \
      -s "$ACCOUNT_SERVICE" \
      -a "$ACCOUNT_NAME" \
      -w "$value" \
      -U 2>/dev/null || \
    security add-generic-password \
      -s "$ACCOUNT_SERVICE" \
      -a "$ACCOUNT_NAME" \
      -w "$value"
    echo -e "${GREEN}+${NC} ${ACCOUNT_SERVICE}"
    ;;

  get)
    key="${1:-}"
    if [ -z "$key" ]; then
      echo "Usage: honeypot get <KEY>"
      exit 1
    fi
    resolve_account "$key"
    security find-generic-password \
      -s "$ACCOUNT_SERVICE" \
      -a "$ACCOUNT_NAME" \
      -w 2>/dev/null || {
      echo -e "${RED}Not found:${NC} ${ACCOUNT_SERVICE}"
      exit 1
    }
    ;;

  rm|remove|delete)
    key="${1:-}"
    if [ -z "$key" ]; then
      echo "Usage: honeypot rm <KEY>"
      exit 1
    fi
    resolve_account "$key"
    security delete-generic-password \
      -s "$ACCOUNT_SERVICE" \
      -a "$ACCOUNT_NAME" &>/dev/null && \
      echo -e "${GREEN}-${NC} ${ACCOUNT_SERVICE}" || {
      echo -e "${RED}Not found:${NC} ${ACCOUNT_SERVICE}"
      exit 1
    }
    ;;

  list|ls)
    # Pull all matching service names from the keychain dump once.
    all_entries=$(security dump-keychain 2>/dev/null | \
      grep "0x00000007" | \
      sed 's/.*<blob>="\([^"]*\)".*/\1/' | \
      sort -u || true)

    instance_entries=$(echo "$all_entries" | grep "^${PREFIX}/" || true)
    beekeeper_entries=$(echo "$all_entries" | grep "^beekeeper/" || true)

    echo -e "${DIM}Secrets under ${PREFIX}/:${NC}"
    echo ""
    if [ -n "$instance_entries" ]; then
      echo "$instance_entries" | while IFS= read -r svc; do
        echo "  ${svc#${PREFIX}/}"
      done
    else
      echo "  (none)"
    fi

    echo ""
    echo -e "${DIM}Secrets under beekeeper/ (cross-instance):${NC}"
    echo ""
    if [ -n "$beekeeper_entries" ]; then
      echo "$beekeeper_entries" | while IFS= read -r svc; do
        echo "  ${svc#beekeeper/}"
      done
    else
      echo "  (none)"
    fi
    ;;

  doctor)
    echo -e "Checking required credentials for ${YELLOW}${INSTANCE_ID}${NC}..."
    echo ""
    required=("ANTHROPIC_API_KEY" "SLACK_APP_TOKEN" "SLACK_BOT_TOKEN")
    recommended=("MONGODB_URI")
    all_good=true

    for key in "${required[@]}"; do
      if security find-generic-password -s "${PREFIX}/${key}" -a "$key" -w &>/dev/null; then
        echo -e "  ${GREEN}ok${NC}  $key"
      else
        echo -e "  ${RED}--${NC}  $key  ${DIM}(required)${NC}"
        all_good=false
      fi
    done

    for key in "${recommended[@]}"; do
      if security find-generic-password -s "${PREFIX}/${key}" -a "$key" -w &>/dev/null; then
        echo -e "  ${GREEN}ok${NC}  $key"
      else
        echo -e "  ${YELLOW}--${NC}  $key  ${DIM}(recommended)${NC}"
      fi
    done

    echo ""
    if $all_good; then
      echo -e "${GREEN}All required credentials present.${NC}"
    else
      echo -e "Run ${YELLOW}honeypot set <KEY>${NC} to add missing credentials."
      exit 1
    fi
    ;;

  help|--help|-h)
    cat <<'HELP'
honeypot — macOS Keychain credential store for Hive

Usage:
  honeypot set <KEY> [value]            Store an instance-scoped credential
  honeypot set beekeeper/<KEY> [value]  Store a cross-instance Beekeeper-tier secret
  honeypot get <KEY>                    Retrieve a credential
  honeypot list                         Show stored keys (no values)
  honeypot rm <KEY>                     Delete a credential
  honeypot doctor                       Check required credentials are present
  honeypot help                         This message

Credentials are stored in macOS Keychain under one of:
  hive/<instance-id>/<KEY>   instance-scoped (default for bare KEY)
  beekeeper/<KEY>            cross-instance Beekeeper-tier (e.g. pipeline-tick)

Both namespaces are readable by the Hive keychain MCP server at runtime.

HELP
    ;;

  *)
    echo "Unknown command: $cmd"
    echo "Run 'honeypot help' for usage."
    exit 1
    ;;
esac
