#!/usr/bin/env bash
# larry-auth.sh — top-level auth wrapper.
#   larry-auth.sh --api-key [--no-validate]   set the per-client API key (default rail)
#   larry-auth.sh --api-key --clear           remove the stored key
#   larry-auth.sh --api-key --status          show the key masked
#   larry-auth.sh <login|logout|status|...>   forward to lib/oauth.sh (opt-in OAuth)
#
# API key is the DEFAULT / sanctioned rail (v0.8.10). OAuth is opt-in and risks
# the user's Max account (Anthropic blocks Claude-Code impersonation). See
# Deliverables/2026-05-27-cloverleaf-larry-api-key-default-rail.md.
set -e

SELF_DIR="$(cd "$(dirname "$0")" && pwd)"
LARRY_HOME="${LARRY_HOME:-$HOME/.larry}"
LARRY_API_KEY_FILE="${LARRY_API_KEY_FILE:-$LARRY_HOME/.api-key}"
LARRY_API_URL="${LARRY_API_URL:-https://api.anthropic.com/v1/messages}"
LARRY_MODEL="${LARRY_MODEL:-claude-sonnet-4-6}"

# strip_cr — prefer the shared primitive; fall back to inline parameter expansion.
if [ -r "$SELF_DIR/lib/cygwin-safe.sh" ]; then
  # shellcheck disable=SC1091
  . "$SELF_DIR/lib/cygwin-safe.sh"
elif [ -r "$LARRY_HOME/lib/cygwin-safe.sh" ]; then
  # shellcheck disable=SC1091
  . "$LARRY_HOME/lib/cygwin-safe.sh"
fi
command -v strip_cr >/dev/null 2>&1 || strip_cr() { local v="${1:-}"; printf '%s' "${v//$'\r'/}"; }

_mask_api_key() {
  local k; k=$(strip_cr "${1:-}")
  [ -z "$k" ] && { printf '(none)'; return 0; }
  local len=${#k}
  [ "$len" -le 12 ] && { printf '(set, len=%d)' "$len"; return 0; }
  printf '%s…%s (len=%d)' "$(printf '%s' "$k" | cut -c1-13)" "$(printf '%s' "$k" | tail -c 4)" "$len"
}

# One cheap test call to confirm the key authenticates. 0=valid, 1=invalid
# (prints HTTP code), 2=could-not-test (no curl / network).
_validate_api_key() {
  local key; key=$(strip_cr "${1:-}")
  command -v curl >/dev/null 2>&1 || return 2
  local body code
  body='{"model":"'"$LARRY_MODEL"'","max_tokens":1,"messages":[{"role":"user","content":"hi"}]}'
  # Key via --config on stdin (off argv / process table).
  code=$(printf 'header = "x-api-key: %s"\n' "$key" | curl -sS -o /dev/null -w '%{http_code}' --config - \
    -H "anthropic-version: 2023-06-01" -H "content-type: application/json" \
    --max-time 20 -d "$body" "$LARRY_API_URL" 2>/dev/null) || return 2
  [ "$code" = "200" ] && return 0
  printf '%s' "$code"; return 1
}

set_api_key_cli() {
  local do_validate=1
  [ "${1:-}" = "--no-validate" ] && do_validate=0
  mkdir -p "$LARRY_HOME" 2>/dev/null || true
  echo "Set Anthropic API key (per-client). Mint one for THIS machine at"
  echo "https://console.anthropic.com — one dedicated, independently-revocable key."
  echo "Stored at $LARRY_API_KEY_FILE (mode 0600); never leaves this machine."
  printf 'Paste key (input hidden): '
  local key=""
  read -rs key 2>/dev/null || read -r key
  echo ""
  key=$(strip_cr "$key"); key="${key//$'\n'/}"
  key="${key#"${key%%[![:space:]]*}"}"; key="${key%"${key##*[![:space:]]}"}"
  [ -z "$key" ] && { echo "larry-auth: no key entered — nothing changed" >&2; return 1; }
  case "$key" in sk-ant-*) : ;; *) echo "warning: doesn't look like sk-ant-... — storing anyway" >&2 ;; esac
  if [ "$do_validate" = "1" ]; then
    printf 'Validating… '
    local vout vrc; vout=$(_validate_api_key "$key"); vrc=$?
    if [ "$vrc" = "0" ]; then echo "valid"
    elif [ "$vrc" = "2" ]; then echo "skipped (curl/network unavailable)"
    else echo "FAILED (HTTP ${vout:-?})"; echo "larry-auth: key did not authenticate — not stored." >&2; key=""; return 1; fi
  fi
  umask 077
  printf '%s\n' "$key" > "$LARRY_API_KEY_FILE"
  chmod 600 "$LARRY_API_KEY_FILE" 2>/dev/null || true
  echo "stored at $LARRY_API_KEY_FILE (0600) — $(_mask_api_key "$key")"
  key=""
}

case "${1:-status}" in
  --api-key|--apikey|api-key|apikey)
    shift
    case "${1:-}" in
      --clear)
        if [ -f "$LARRY_API_KEY_FILE" ]; then rm -f "$LARRY_API_KEY_FILE"; echo "cleared $LARRY_API_KEY_FILE"
        else echo "no key file to remove ($LARRY_API_KEY_FILE)"; fi ;;
      --status)
        if [ -f "$LARRY_API_KEY_FILE" ]; then
          k=$(strip_cr "$(cat "$LARRY_API_KEY_FILE" 2>/dev/null)"); k="${k//$'\n'/}"
          echo "API key: $(_mask_api_key "$k")  [$LARRY_API_KEY_FILE]"; k=""
        else echo "API key: (none set) — run: larry-auth.sh --api-key"; fi ;;
      --no-validate) set_api_key_cli --no-validate ;;
      ""|set) set_api_key_cli ;;
      *) echo "usage: larry-auth.sh --api-key [--clear|--status|--no-validate]" >&2; exit 2 ;;
    esac
    ;;
  *)
    # OAuth (opt-in) path — forward to lib/oauth.sh.
    OAUTH=""
    for c in "$SELF_DIR/lib/oauth.sh" "$LARRY_HOME/lib/oauth.sh"; do
      [ -x "$c" ] && { OAUTH="$c"; break; }
    done
    [ -n "$OAUTH" ] || { echo "larry-auth: cannot find lib/oauth.sh — reinstall larry-anywhere" >&2; exit 1; }
    exec "$OAUTH" "$@"
    ;;
esac