#!/usr/bin/env bash
set -euo pipefail

monitor_interval="${MCODEX_MONITOR_INTERVAL:-5}"
live_accounts=0
tmux_history_limit="${MCODEX_TMUX_HISTORY_LIMIT:-50000}"

# Security: monitor_interval is embedded into `watch -n <n> ...` command strings
# that tmux hands to a shell. An attacker-controlled MCODEX_MONITOR_INTERVAL like
# "5; rm -rf ~" would otherwise execute. Require a positive integer (optionally
# with a fractional part for sub-second intervals) and fall back to the default
# otherwise, so no shell metacharacters can ever reach the command string.
if ! [[ "$monitor_interval" =~ ^[0-9]+(\.[0-9]+)?$ ]]; then
  echo "mcodex: invalid MCODEX_MONITOR_INTERVAL '$monitor_interval'; using 5" >&2
  monitor_interval=5
fi

# Same hardening for the tmux scrollback history limit (used as a tmux option
# argument): must be a plain integer.
if ! [[ "$tmux_history_limit" =~ ^[0-9]+$ ]]; then
  echo "mcodex: invalid MCODEX_TMUX_HISTORY_LIMIT '$tmux_history_limit'; using 50000" >&2
  tmux_history_limit=50000
fi

quote_args() {
  local quoted=()
  local arg
  for arg in "$@"; do
    printf -v arg '%q' "$arg"
    quoted+=("$arg")
  done
  # Join with single spaces and NO trailing space (a trailing space would become
  # part of the interpolated tmux command string).
  local IFS=' '
  printf '%s' "${quoted[*]}"
}

require_watch() {
  if ! command -v watch >/dev/null 2>&1; then
    echo "mcodex: 'watch' is not installed; the live account monitor requires it (install procps / procps-ng)." >&2
    return 1
  fi
}

run_monitor() {
  require_watch || return 1
  watch -n "$monitor_interval" 'codex-multi-auth list'
}

configure_tmux_scrollback() {
  local target="${1:-}"
  local target_args=()
  if [[ -n "$target" ]]; then
    target_args=(-t "$target")
  fi

  tmux set-option "${target_args[@]}" mouse on >/dev/null 2>&1
  tmux set-option "${target_args[@]}" history-limit "$tmux_history_limit" >/dev/null 2>&1
  tmux bind-key -T root WheelUpPane copy-mode -e >/dev/null 2>&1
  tmux bind-key -T copy-mode WheelUpPane send-keys -X scroll-up >/dev/null 2>&1
  tmux bind-key -T copy-mode WheelDownPane send-keys -X scroll-down >/dev/null 2>&1
  tmux bind-key -T copy-mode-vi WheelUpPane send-keys -X scroll-up >/dev/null 2>&1
  tmux bind-key -T copy-mode-vi WheelDownPane send-keys -X scroll-down >/dev/null 2>&1
}

if [[ "${1:-}" == "--monitor" ]]; then
  # --monitor takes no extra args; the live account list is fixed. Propagate the
  # watch-availability check's exit code instead of masking it with `exit 0`.
  run_monitor
  exit $?
fi

if [[ "${1:-}" == "--tmux" || "${1:-}" == "-t" ]]; then
  shift
  if [[ "${1:-}" == "--live-accounts" ]]; then
    live_accounts=1
    shift
  fi
  if ! command -v tmux >/dev/null 2>&1; then
    echo "mcodex: tmux is not installed; launching without tmux" >&2
    exec codex-multi-auth-codex "$@"
  fi

  if [[ -n "${TMUX:-}" ]]; then
    configure_tmux_scrollback
    if [[ "$live_accounts" == "1" ]] && require_watch; then
      tmux split-window -h "watch -n $monitor_interval 'codex-multi-auth list'"
    fi
    exec codex-multi-auth-codex "$@"
  fi

  session="${MCODEX_TMUX_SESSION:-mcodex}"
  suffix="$(date +%H%M%S)"
  if tmux has-session -t "$session" 2>/dev/null; then
    session="${session}-${suffix}"
  fi

  # Build the inner shell-command as a single string. quote_args runs each arg
  # through printf %q, so every token is already shell-safe (embedded quotes,
  # spaces, $, backticks are escaped); the surrounding expansion is not
  # re-evaluated, so the command tmux receives is exactly this string.
  cmd="codex-multi-auth-codex"
  args="$(quote_args "$@")"
  if [[ -n "$args" ]]; then
    cmd="$cmd $args"
  fi
  tmux new-session -d -s "$session" -n codex "$cmd"
  configure_tmux_scrollback "$session"
  if [[ "$live_accounts" == "1" ]] && require_watch; then
    tmux split-window -h -t "$session:0" "watch -n $monitor_interval 'codex-multi-auth list'"
  fi
  tmux select-pane -t "$session:0.0"
  tmux attach-session -t "$session"
  exit 0
fi

exec codex-multi-auth-codex "$@"
