#!/usr/bin/env bash
# Consolidate all .env secrets into one file for backup/download.
# Run from proxmox repo root. Output: one .env-style file (path as first argument).
# Usage: bash scripts/consolidate-secrets-into-file.sh [OUTPUT_FILE]
# Example: bash scripts/consolidate-secrets-into-file.sh ~/secrets-consolidated.env
# SECURITY: Run locally only. Output contains real secrets; chmod 600 and never commit.
set -euo pipefail

PROJECT_ROOT="${PROJECT_ROOT:-$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)}"
cd "$PROJECT_ROOT"
OUTPUT="${1:-secrets-consolidated.env}"

# Keys we care about (from SECRETS_CONSOLIDATED_DOWNLOAD.env); order preserved
KEYS=(
  PROXMOX_ML110 PROXMOX_R630_01 PROXMOX_R630_02 PROXMOX_HOST PROXMOX_PORT PROXMOX_USER
  PROXMOX_TOKEN_NAME PROXMOX_TOKEN_VALUE PROXMOX_ALLOW_ELEVATED
  CLOUDFLARE_API_TOKEN CLOUDFLARE_EMAIL CLOUDFLARE_API_KEY CLOUDFLARE_ZONE_ID
  CLOUDFLARE_ZONE_ID_D_BIS_ORG CLOUDFLARE_ZONE_ID_MIM4U_ORG CLOUDFLARE_ZONE_ID_SANKOFA_NEXUS CLOUDFLARE_ZONE_ID_DEFI_ORACLE_IO
  CLOUDFLARE_TUNNEL_TOKEN CLOUDFLARE_TUNNEL_ID CLOUDFLARE_TUNNEL_ID_ALLTRA_HYBX CLOUDFLARE_TUNNEL_ID_MIFOS_R630_02
  CLOUDFLARE_TUNNEL_TOKEN_MIFOS_R630_02 CLOUDFLARE_ORIGIN_CA_KEY CLOUDFLARE_ACCOUNT_ID
  CLOUDNS_AUTH_ID CLOUDNS_AUTH_PASSWORD
  NPM_URL NPM_EMAIL NPM_PASSWORD NPM_HOST NPM_PROXMOX_HOST NPMPLUS_HOST NPM_VMID NPMPLUS_VMID
  NPMPLUS_ALLTRA_HYBX_VMID IP_NPMPLUS_ALLTRA_HYBX NPM_URL_MIFOS
  FASTLY_API_TOKEN
  PUBLIC_IP PROXMOX_HOST_FOR_TEST UNIFI_UDM_URL UNIFI_API_KEY UNIFI_API_MODE UNIFI_SITE_ID UNIFI_VERIFY_SSL
  OMADA_API_KEY OMADA_CLIENT_SECRET
  GITEA_URL GITEA_TOKEN GITEA_ORG
  DATABASE_URL JWT_SECRET JWT_REFRESH_SECRET JWT_EXPIRES_IN JWT_REFRESH_EXPIRES_IN SESSION_SECRET
  ADMIN_CENTRAL_API_KEY DBIS_CENTRAL_URL ADMIN_JWT_SECRET
  STORAGE_TYPE STORAGE_PATH AWS_REGION AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_S3_BUCKET
  AZURE_STORAGE_CONNECTION_STRING AZURE_STORAGE_CONTAINER
  PRIVATE_KEY RPC_URL_138 RPC_URL_138_PUBLIC ETHEREUM_MAINNET_RPC CHAIN_651940_RPC_URL ETHERLINK_RPC_URL TEZOS_RPC_URL
  ETHERSCAN_API_KEY ETHERLINK_CCIP_SELECTOR TEZOS_BRIDGE_ENABLED ETHERLINK_BRIDGE_ENABLED
  TEZOS_RELAY_ORACLE_KEY ETHERLINK_RELAY_BRIDGE ETHERLINK_RELAY_PRIVATE_KEY JUMPER_API_KEY
  ONEINCH_API_KEY MOONPAY_API_KEY MOONPAY_SECRET_KEY RAMP_NETWORK_API_KEY ONRAMPER_API_KEY
  SLACK_WEBHOOK_URL PAGERDUTY_INTEGRATION_KEY EMAIL_ALERT_API_URL EMAIL_ALERT_RECIPIENTS SENTRY_DSN
  E_SIGNATURE_BASE_URL
  CRYPTO_COM_API_KEY CRYPTO_COM_API_SECRET CRYPTO_COM_ENVIRONMENT BINANCE_API_KEY BINANCE_API_SECRET
  KRAKEN_API_KEY KRAKEN_PRIVATE_KEY OANDA_API_KEY OANDA_ACCOUNT_ID OANDA_ENVIRONMENT FXCM_API_TOKEN
  COINGECKO_API_KEY COINDESK_API_KEY COINMARKETCAP_API_KEY DEXSCREENER_API_KEY
  MIFOS_BASE_URL MIFOS_TENANT MIFOS_USER MIFOS_PASSWORD MIFOS_INSECURE
  OMNL_FINERACT_BASE_URL OMNL_FINERACT_TENANT OMNL_FINERACT_USER OMNL_FINERACT_PASSWORD
  SANKOFA_PHOENIX_API_URL SANKOFA_PHOENIX_CLIENT_ID SANKOFA_PHOENIX_CLIENT_SECRET SANKOFA_PHOENIX_TENANT_ID
  VITE_WALLETCONNECT_PROJECT_ID VITE_THIRDWEB_CLIENT_ID VITE_ETHERSCAN_API_KEY VITE_SENTRY_DSN
  VITE_API_URL VITE_API_BASE_URL NEXT_PUBLIC_API_URL NEXT_PUBLIC_CHAIN_ID
  METAMASK_API_KEY THIRDWEB_SECRET_KEY NPM_ACCESS_TOKEN
  PARASWAP_API_KEY ZEROX_API_KEY
  MONGO_USER MONGO_PASSWORD MONGO_IP MONGO_PORT MONGO_DATABASE
  CHAIN138_RPC_URL RPC_URL_138_FIREBLOCKS WS_URL_138_FIREBLOCKS CHAIN_ID_138
  PORT MARKET_REPORTING_API_KEY E_FILING_ENABLED NODE_ENV
)

# Sources: path -> prefix for comments
declare -A SOURCES
SOURCES["$PROJECT_ROOT/.env"]="root"
SOURCES["$PROJECT_ROOT/.env.master"]="root"
if [ -d "$PROJECT_ROOT/smom-dbis-138" ]; then
  SOURCES["$PROJECT_ROOT/smom-dbis-138/.env"]="smom"
fi
if [ -d "$PROJECT_ROOT/dbis_core" ]; then
  SOURCES["$PROJECT_ROOT/dbis_core/.env"]="dbis"
fi
if [ -d "$PROJECT_ROOT/OMNIS" ] && [ -f "$PROJECT_ROOT/OMNIS/backend/.env" ]; then
  SOURCES["$PROJECT_ROOT/OMNIS/backend/.env"]="omnis"
fi
if [ -d "$PROJECT_ROOT/omada-api" ]; then
  SOURCES["$PROJECT_ROOT/omada-api/.env"]="omada"
fi
if [ -d "$PROJECT_ROOT/phoenix-deploy-api" ]; then
  SOURCES["$PROJECT_ROOT/phoenix-deploy-api/.env"]="phoenix"
fi
if [ -d "$PROJECT_ROOT/ProxmoxVE/api" ]; then
  SOURCES["$PROJECT_ROOT/ProxmoxVE/api/.env"]="proxmoxve"
fi

# Export from a single file (no spaces around =, no export keyword in value)
export_from() {
  local f="$1"
  [ -f "$f" ] || return 0
  while IFS= read -r line; do
    [[ "$line" =~ ^[A-Za-z_][A-Za-z0-9_]*= ]] || continue
    key="${line%%=*}"
    value="${line#*=}"
    printf '%s\n' "$key=$value"
  done < "$f"
}

# Collect key=value from all sources (first occurrence wins)
declare -A collected
for path in "${!SOURCES[@]}"; do
  while IFS= read -r line; do
    key="${line%%=*}"
    [ -z "$key" ] && continue
    [ -n "${collected[$key]:-}" ] && continue
    collected[$key]="${line#*=}"
  done < <(export_from "$path")
done

# Build output: header + each KEY from KEYS (use value from collected if present)
{
  echo "# =============================================================================
# CONSOLIDATED SECRETS — Filled from local .env files
# Generated: $(date -u +"%Y-%m-%dT%H:%M:%SZ")
# SECURITY: chmod 600 this file; never commit.
# ============================================================================="
  for key in "${KEYS[@]}"; do
    val="${collected[$key]:-}"
    if [ -n "$val" ]; then
      echo "${key}=${val}"
    else
      echo "${key}="
    fi
  done
} > "$OUTPUT"

chmod 600 "$OUTPUT"
echo "Written to $OUTPUT ($(wc -l < "$OUTPUT") lines). Keep secure; do not commit."