#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"

SECURE_DIR_DEFAULT="${HOME}/.secure-secrets"
SECRET_FILE_DEFAULT="${SECURE_DIR_DEFAULT}/chain138-keeper.env"
EXPORT_FILE_DEFAULT="${PROJECT_ROOT}/.env.keeper.local"

SECRET_FILE="${KEEPER_SECRET_FILE:-$SECRET_FILE_DEFAULT}"
EXPORT_FILE="${KEEPER_EXPORT_FILE:-$EXPORT_FILE_DEFAULT}"
FORCE=0
NO_EXPORT=0

usage() {
  cat <<EOF
Usage: $(basename "$0") [--force] [--no-export-file] [--secret-file PATH] [--export-file PATH]

Generates a dedicated Chain 138 keeper signer, stores the raw private key outside the repo,
and writes a gitignored local helper that sources it.

Defaults:
  secret file: $SECRET_FILE_DEFAULT
  export file: $EXPORT_FILE_DEFAULT

The secret file contains:
  KEEPER_PRIVATE_KEY=0x...
  KEEPER_SIGNER_ADDRESS=0x...

The export file does not contain the secret. It only sources the secret file.
EOF
}

while [[ $# -gt 0 ]]; do
  case "$1" in
    --secret-file)
      SECRET_FILE="$2"
      shift 2
      ;;
    --export-file)
      EXPORT_FILE="$2"
      shift 2
      ;;
    --force)
      FORCE=1
      shift
      ;;
    --no-export-file)
      NO_EXPORT=1
      shift
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "Unknown argument: $1" >&2
      usage >&2
      exit 1
      ;;
  esac
done

command -v openssl >/dev/null 2>&1 || { echo "openssl is required" >&2; exit 1; }
command -v cast >/dev/null 2>&1 || { echo "cast is required" >&2; exit 1; }

if [[ -f "$SECRET_FILE" && "$FORCE" -ne 1 ]]; then
  echo "Refusing to overwrite existing secret file: $SECRET_FILE" >&2
  echo "Re-run with --force to replace it." >&2
  exit 1
fi

umask 077
mkdir -p "$(dirname "$SECRET_FILE")"
chmod 700 "$(dirname "$SECRET_FILE")" 2>/dev/null || true

KEEPER_PRIVATE_KEY=""
KEEPER_SIGNER_ADDRESS=""
for _ in $(seq 1 8); do
  candidate="0x$(openssl rand -hex 32)"
  if addr="$(cast wallet address --private-key "$candidate" 2>/dev/null)"; then
    KEEPER_PRIVATE_KEY="$candidate"
    KEEPER_SIGNER_ADDRESS="$addr"
    break
  fi
done

if [[ -z "$KEEPER_PRIVATE_KEY" || -z "$KEEPER_SIGNER_ADDRESS" ]]; then
  echo "Failed to generate a valid keeper private key" >&2
  exit 1
fi

cat >"$SECRET_FILE" <<EOF
# Generated by $(basename "$0") on $(date -Iseconds)
KEEPER_PRIVATE_KEY=$KEEPER_PRIVATE_KEY
KEEPER_SIGNER_ADDRESS=$KEEPER_SIGNER_ADDRESS
EOF
chmod 600 "$SECRET_FILE"

if [[ "$NO_EXPORT" -ne 1 ]]; then
  cat >"$EXPORT_FILE" <<EOF
# Generated by $(basename "$0") on $(date -Iseconds)
# Local helper only; this file contains no secret material.
export KEEPER_SECRET_FILE="${SECRET_FILE}"
if [ -f "\${KEEPER_SECRET_FILE}" ]; then
  set -a
  # shellcheck source=/dev/null
  source "\${KEEPER_SECRET_FILE}"
  set +a
fi
EOF
  chmod 600 "$EXPORT_FILE"
fi

cat <<EOF
Keeper signer generated.
  Address: $KEEPER_SIGNER_ADDRESS
  Secret:  $SECRET_FILE
EOF

if [[ "$NO_EXPORT" -ne 1 ]]; then
  cat <<EOF
  Export:  $EXPORT_FILE

Next:
  1. source "$EXPORT_FILE"
  2. grant KEEPER_ROLE / allow the signer where required
  3. install KEEPER_PRIVATE_KEY on the runtime that submits performUpkeep()
EOF
fi