#!/usr/bin/env python3
"""arq-salesforce — salesforce API bridge. v0: sobjects list"""
import argparse, json, os, sys, urllib.request, urllib.error
from pathlib import Path
sys.path.insert(0, str(Path(__file__).parent))
from _arq_provider_base import sops_extract, call_with_audit, print_json, handle_meta_flags

PROVIDER = "salesforce"
REQUIRED_SCOPES: dict[str, list[str]] = {
    # Salesforce Connected-App OAuth scope for /sobjects.
    "list": ["api"],
}
def _key(): return os.environ.get("SALESFORCE_TOKEN") or sops_extract('["arqera_twin_admin"]["salesforce"]["value"]') or sops_extract('["salesforce"]["salesforce_api_key"]')
def _get(path):
    k = _key()
    if not k: return 401, "no salesforce key"
    req = urllib.request.Request(f"https://login.salesforce.com/services/data/v60.0{path}", headers={"Authorization": f"Bearer {k}"})
    try:
        with urllib.request.urlopen(req, timeout=30) as r: return r.status, json.loads(r.read())
    except urllib.error.HTTPError as e: return e.code, e.read().decode("utf-8","ignore")
    except Exception as e: return 500, str(e)

def _list(a):
    c, d = _get("/sobjects")
    if c != 200: sys.stderr.write(f"HTTP {c}: {d}\n"); return 1
    return print_json(d)

def main():
    handle_meta_flags(PROVIDER, REQUIRED_SCOPES)
    p = argparse.ArgumentParser(prog="arq-salesforce"); s = p.add_subparsers(dest="cmd", required=True)
    sl = s.add_parser("list"); sl.set_defaults(func=_list, verb="list")
    args = p.parse_args()
    return call_with_audit(PROVIDER, args.verb, args.func, args)

if __name__ == "__main__": sys.exit(main())
