#!/usr/bin/env bash
# Create the "AI Prod" 1Password vault and all required items with placeholder values.
# Run this once on a fresh setup, then edit each item in 1Password with real values.
#
# Usage:
#   bin/op-setup              # Create vault and all items
#   bin/op-setup --dry-run    # Print what would be created without doing it

set -e

VAULT="AI Prod"
DRY_RUN=false

# Colors
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'

if [[ "${1:-}" == "--dry-run" ]]; then
    DRY_RUN=true
    echo -e "${YELLOW}Dry run mode — no changes will be made${NC}"
fi

# ---------------------------------------------------------------------------
# Helpers
# ---------------------------------------------------------------------------

run() {
    if $DRY_RUN; then
        echo -e "  ${BLUE}[dry-run]${NC} $*"
    else
        "$@"
    fi
}

item_exists() {
    local title="$1"
    op item get "$title" --vault "$VAULT" &>/dev/null
}

create_item() {
    local title="$1"
    shift
    if item_exists "$title"; then
        echo -e "  ${YELLOW}↩${NC}  $title — already exists, skipping"
    else
        echo -e "  ${GREEN}+${NC}  Creating: $title"
        run op item create \
            --vault "$VAULT" \
            --category "Login" \
            --title "$title" \
            "$@"
    fi
}

# ---------------------------------------------------------------------------
# Step 1: Ensure vault exists
# ---------------------------------------------------------------------------

echo ""
echo -e "${BLUE}=== 1Password Vault ===${NC}"
echo ""

if op vault get "$VAULT" &>/dev/null; then
    echo -e "${GREEN}✓${NC} Vault '$VAULT' already exists"
else
    echo -e "${GREEN}+${NC} Creating vault: $VAULT"
    run op vault create "$VAULT"
fi

# ---------------------------------------------------------------------------
# Step 2: Create items
# ---------------------------------------------------------------------------

echo ""
echo -e "${BLUE}=== Creating Items in '$VAULT' ===${NC}"
echo ""

# --- PostgreSQL ---
# Used by: gateway (DB connection), minio-init job (postgres metadata)
create_item "PostgreSQL" \
    "password[password]=REPLACE_WITH_STRONG_PASSWORD"

# --- MinIO ---
# Used by: minio StatefulSet, flink-secrets, gateway-secrets (iceberg S3), sandbox-secrets
# access_key = MinIO root user (equivalent to AWS_ACCESS_KEY_ID)
# secret_key = MinIO root password (equivalent to AWS_SECRET_ACCESS_KEY)
create_item "MinIO" \
    "access_key[text]=minio-admin" \
    "secret_key[password]=REPLACE_WITH_STRONG_SECRET_KEY"

# --- Gateway ---
# Used by: ai-secrets (anthropic_api_key), gateway-secrets (all LLM keys + jwt_secret)
# jwt_secret: used to sign user sessions — generate with: openssl rand -base64 48
# anthropic_api_key: Anthropic Console → API Keys (https://console.anthropic.com)
# openai_api_key: OpenAI Platform → API Keys (https://platform.openai.com)
# google_api_key: Google AI Studio (https://aistudio.google.com)
# openrouter_api_key: OpenRouter (https://openrouter.ai)
create_item "Gateway" \
    "anthropic_api_key[password]=sk-ant-REPLACE_ME" \
    "jwt_secret[password]=REPLACE_WITH_RANDOM_64_CHAR_SECRET" \
    "openai_api_key[password]=sk-REPLACE_ME" \
    "google_api_key[password]=REPLACE_ME" \
    "openrouter_api_key[password]=sk-or-REPLACE_ME"

# --- Telegram ---
# Used by: gateway-secrets (optional Telegram bot integration)
# bot_token: BotFather → /newbot (https://t.me/BotFather)
# Leave as placeholder if Telegram integration is not needed.
create_item "Telegram" \
    "bot_token[password]=REPLACE_ME_OR_LEAVE_EMPTY"

# --- Ingestor ---
# Used by: ingestor-secrets (exchange API keys for CCXT market data)
# Keys with empty/placeholder values will cause the ingestor to skip that exchange.
# Binance: https://www.binance.com/en/my/settings/api-management
# Coinbase: https://portal.cdp.coinbase.com/
# Kraken: https://www.kraken.com/u/security/api
create_item "Ingestor" \
    "binance_api_key[text]=REPLACE_ME" \
    "binance_api_secret[password]=REPLACE_ME" \
    "coinbase_api_key[text]=REPLACE_ME" \
    "coinbase_api_secret[password]=REPLACE_ME" \
    "kraken_api_key[text]=REPLACE_ME" \
    "kraken_api_secret[password]=REPLACE_ME"

# ---------------------------------------------------------------------------
# Done
# ---------------------------------------------------------------------------

echo ""
if $DRY_RUN; then
    echo -e "${YELLOW}Dry run complete — no items were created.${NC}"
else
    echo -e "${GREEN}✓ Setup complete.${NC}"
    echo ""
    echo -e "Next steps:"
    echo -e "  1. Open 1Password and update each item in the '${VAULT}' vault with real values:"
    echo -e "     • PostgreSQL  → set a strong random password"
    echo -e "     • MinIO       → set a strong secret_key (access_key can stay as-is)"
    echo -e "     • Gateway     → add real API keys and a random jwt_secret"
    echo -e "     • Ingestor    → add real exchange API keys"
    echo -e "     • Telegram    → add bot token (or leave placeholder if unused)"
    echo ""
    echo -e "  2. Verify op:// references resolve correctly:"
    echo -e "     op inject -i deploy/k8s/prod/secrets/gateway-secrets.tpl.yaml | head -20"
    echo ""
    echo -e "  3. Continue with cluster setup:"
    echo -e "     bin/secret-update prod"
fi
echo ""
