#!/usr/bin/env python3
"""arq-stripe — Stripe API bridge.
v0 verbs:
  arq-stripe balance get          — account balance
  arq-stripe charge list [--days N] — recent charges
"""
import argparse, json, os, sys, urllib.request, urllib.error
from datetime import UTC, datetime, timedelta
from pathlib import Path
sys.path.insert(0, str(Path(__file__).parent))
from _arq_provider_base import sops_extract, call_with_audit, print_json, handle_meta_flags

PROVIDER = "stripe"
REQUIRED_SCOPES: dict[str, list[str]] = {
    # Stripe Restricted-API-Key permission names (the granular auth model;
    # a full secret key satisfies all of these as a superset).
    "balance get": ["Balance:read"],
    "charge list": ["Charges:read"],
}
def _key(): return os.environ.get("STRIPE_SECRET_KEY") or sops_extract('["arqera_twin_admin"]["stripe"]["value"]') or sops_extract('["stripe"]["stripe_secret_key"]')
def _get(path):
    k = _key()
    if not k: return 401, "no stripe key"
    req = urllib.request.Request(f"https://api.stripe.com{path}", headers={"Authorization": f"Bearer {k}"})
    try:
        with urllib.request.urlopen(req, timeout=30) as r: return r.status, json.loads(r.read())
    except urllib.error.HTTPError as e: return e.code, e.read().decode("utf-8","ignore")
    except Exception as e: return 500, str(e)

def _balance(a):
    c, d = _get("/v1/balance");
    if c != 200: sys.stderr.write(f"HTTP {c}: {d}\n"); return 1
    return print_json(d)
def _charges(a):
    end = int(datetime.now(UTC).timestamp())
    start = int((datetime.now(UTC) - timedelta(days=a.days)).timestamp())
    c, d = _get(f"/v1/charges?created[gte]={start}&created[lte]={end}&limit=50")
    if c != 200: sys.stderr.write(f"HTTP {c}: {d}\n"); return 1
    return print_json(d)

def main():
    handle_meta_flags(PROVIDER, REQUIRED_SCOPES)
    p = argparse.ArgumentParser(prog="arq-stripe"); s = p.add_subparsers(dest="cmd", required=True)
    sb = s.add_parser("balance"); sb2 = sb.add_subparsers(dest="action", required=True)
    sb2.add_parser("get").set_defaults(func=_balance, verb="balance get")
    sc = s.add_parser("charge"); sc2 = sc.add_subparsers(dest="action", required=True)
    scl = sc2.add_parser("list"); scl.add_argument("--days", type=int, default=30); scl.set_defaults(func=_charges, verb="charge list")
    args = p.parse_args()
    return call_with_audit(PROVIDER, args.verb, args.func, args)

if __name__ == "__main__": sys.exit(main())
