#!/usr/bin/env python3
"""arq-r2 — Cloudflare R2 storage bridge.
v0: arq-r2 bucket list · arq-r2 bucket usage <name>

Uses CF API (not S3 protocol). Requires CLOUDFLARE_API_TOKEN + ACCOUNT_ID.
"""
import argparse, json, os, sys, urllib.request, urllib.error
from pathlib import Path
sys.path.insert(0, str(Path(__file__).parent))
from _arq_provider_base import sops_extract, call_with_audit, print_json, handle_meta_flags

PROVIDER = "r2"
REQUIRED_SCOPES: dict[str, list[str]] = {
    # Cloudflare API token permission for Workers R2 Storage.
    "bucket list": ["Account:Workers R2 Storage:Read"],
    "bucket usage": ["Account:Workers R2 Storage:Read"],
}
def _key(): return os.environ.get("CLOUDFLARE_API_TOKEN") or sops_extract('["cloudflare"]["cloudflare_api_token"]')
def _acct(): return os.environ.get("CLOUDFLARE_ACCOUNT_ID") or sops_extract('["cloudflare"]["account_id"]')
def _get(path):
    k = _key()
    if not k: return 401, "no cf api token"
    req = urllib.request.Request(f"https://api.cloudflare.com/client/v4{path}", headers={"Authorization": f"Bearer {k}"})
    try:
        with urllib.request.urlopen(req, timeout=30) as r: return r.status, json.loads(r.read())
    except urllib.error.HTTPError as e: return e.code, e.read().decode("utf-8","ignore")
    except Exception as e: return 500, str(e)

def _list(a):
    acc = _acct()
    if not acc: sys.stderr.write("no cf account_id\n"); return 1
    c, d = _get(f"/accounts/{acc}/r2/buckets")
    if c != 200: sys.stderr.write(f"HTTP {c}: {d}\n"); return 1
    return print_json(d)
def _usage(a):
    acc = _acct()
    c, d = _get(f"/accounts/{acc}/r2/buckets/{a.name}/usage")
    if c != 200: sys.stderr.write(f"HTTP {c}: {d}\n"); return 1
    return print_json(d)

def main():
    handle_meta_flags(PROVIDER, REQUIRED_SCOPES)
    p = argparse.ArgumentParser(prog="arq-r2"); s = p.add_subparsers(dest="cmd", required=True)
    sb = s.add_parser("bucket"); sb2 = sb.add_subparsers(dest="action", required=True)
    sb2.add_parser("list").set_defaults(func=_list, verb="bucket list")
    sbu = sb2.add_parser("usage"); sbu.add_argument("name"); sbu.set_defaults(func=_usage, verb="bucket usage")
    args = p.parse_args()
    return call_with_audit(PROVIDER, args.verb, args.func, args)

if __name__ == "__main__": sys.exit(main())
