#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
source "$SCRIPT_DIR/_common.sh"

: "${MERKLE_RUN_DIR:=}"
: "${RFC3161_DIR:=}"
: "${ETH_RUN_DIR:=}"
: "${ETH_RPC_URL:=}"
: "${BTC_RUN_DIR:=}"
: "${BTC_NETWORK:=testnet}"
: "${OUTPUT_DIR:=$SKILL_ROOT/outputs}"

check_merkle() {
  local ok_root=false ok_levels=false root_hex=""
  [[ -f "$MERKLE_RUN_DIR/ROOT.txt" ]] && ok_root=true
  root_hex="$(grep '^root_hex=' "$MERKLE_RUN_DIR/ROOT.txt" | head -n1 | cut -d= -f2 || true)"
  [[ -d "$MERKLE_RUN_DIR/levels" || -d "$MERKLE_RUN_DIR/levels/" || -d "$MERKLE_RUN_DIR/levels" ]] && ok_levels=true || true
  echo "$ok_root|$ok_levels|$root_hex"
}

check_rfc3161() {
  # verifies token parses; full cryptographic verification requires TSA cert chain (not provided in v1).
  local ok_req=false ok_res=false ok_parse=false msg=""
  [[ -n "${RFC3161_DIR:-}" && -f "$RFC3161_DIR/request.tsq" ]] && ok_req=true
  [[ -n "${RFC3161_DIR:-}" && -f "$RFC3161_DIR/response.tsr" ]] && ok_res=true
  if [[ "$ok_res" == "true" ]] && command -v openssl >/dev/null 2>&1; then
    if openssl ts -reply -in "$RFC3161_DIR/response.tsr" -text >/dev/null 2>&1; then
      ok_parse=true
      msg="tsr_parsed_ok"
    else
      msg="openssl_failed_to_parse_tsr"
    fi
  else
    msg="skipped_no_openssl_or_missing_tsr"
  fi
  echo "$ok_req|$ok_res|$ok_parse|$msg"
}

check_eth() {
  local ok_txfile=false ok_receipt=false ok_seen=false tx=""
  if [[ -n "${ETH_RUN_DIR:-}" && -f "$ETH_RUN_DIR/tx_hash.txt" ]]; then
    ok_txfile=true
    tx="$(cat "$ETH_RUN_DIR/tx_hash.txt" | tr -d '\r\n')"
  fi
  if [[ -n "$tx" && -f "$ETH_RUN_DIR/tx_receipt.json" ]]; then ok_receipt=true; fi
  if [[ -n "$tx" && -n "${ETH_RPC_URL:-}" && command -v cast >/dev/null 2>&1 ]]; then
    if cast receipt --rpc-url "$ETH_RPC_URL" "$tx" >/dev/null 2>&1; then ok_seen=true; fi
  fi
  echo "$ok_txfile|$ok_receipt|$ok_seen|$tx"
}

check_btc() {
  local ok_txidfile=false ok_seen=false txid=""
  if [[ -n "${BTC_RUN_DIR:-}" && -f "$BTC_RUN_DIR/txid.txt" ]]; then
    ok_txidfile=true
    txid="$(cat "$BTC_RUN_DIR/txid.txt" | tr -d '\r\n')"
  fi
  if [[ -n "$txid" && command -v bitcoin-cli >/dev/null 2>&1 ]]; then
    flag="$(net_flag)"
    if bitcoin-cli $flag getrawtransaction "$txid" >/dev/null 2>&1; then ok_seen=true; fi
  fi
  echo "$ok_txidfile|$ok_seen|$txid"
}

main() {
  mkdir -p "$OUTPUT_DIR"
  ts="$(date -Iseconds | tr ':' '-')"
  out_dir="$OUTPUT_DIR/verify_${ts}"
  mkdir -p "$out_dir"

  # Merkle
  IFS='|' read -r m_ok_root m_ok_levels m_root <<< "$(check_merkle)"
  # RFC3161
  IFS='|' read -r r_ok_req r_ok_res r_ok_parse r_msg <<< "$(check_rfc3161)"
  # ETH
  IFS='|' read -r e_ok_txfile e_ok_receipt e_ok_seen e_tx <<< "$(check_eth)"
  # BTC
  IFS='|' read -r b_ok_txidfile b_ok_seen b_txid <<< "$(check_btc)"

  blockers="[]"
  if [[ "$m_ok_root" != "true" ]]; then blockers='["missing_merkle_root"]'; fi

  warnings=()
  if [[ -n "${RFC3161_DIR:-}" && "$r_ok_res" != "true" ]]; then warnings+=("missing_rfc3161_tsr"); fi
  if [[ -n "${ETH_RUN_DIR:-}" && "$e_ok_txfile" != "true" ]]; then warnings+=("missing_eth_tx_hash"); fi
  if [[ -n "${BTC_RUN_DIR:-}" && "$b_ok_txidfile" != "true" ]]; then warnings+=("missing_btc_txid"); fi

  # warnings json
  if [[ ${#warnings[@]} -eq 0 ]]; then warn_json="[]"
  else
    warn_json="["
    for i in "${!warnings[@]}"; do
      warn_json="${warn_json}\"${warnings[$i]}\""
      [[ $i -lt $((${#warnings[@]}-1)) ]] && warn_json="${warn_json},"
    done
    warn_json="${warn_json}]"
  fi

  cat > "$out_dir/status_matrix.json" <<EOF
{
  "skill": "proof-verifier",
  "timestamp": "$(date -Iseconds)",
  "inputs": {
    "merkle_run_dir": "$(json_escape "$MERKLE_RUN_DIR")",
    "rfc3161_dir": "$(json_escape "${RFC3161_DIR:-}")",
    "eth_run_dir": "$(json_escape "${ETH_RUN_DIR:-}")",
    "btc_run_dir": "$(json_escape "${BTC_RUN_DIR:-}")",
    "btc_network": "$(json_escape "$BTC_NETWORK")"
  },
  "root_hex": "$(json_escape "$m_root")",
  "checks": [
    {"name":"merkle_root_present", "ok": $m_ok_root},
    {"name":"merkle_levels_present_optional", "ok": $m_ok_levels},
    {"name":"rfc3161_request_present_optional", "ok": $r_ok_req},
    {"name":"rfc3161_response_present_optional", "ok": $r_ok_res},
    {"name":"rfc3161_tsr_parses_optional", "ok": $r_ok_parse, "note": "$(json_escape "$r_msg")"},
    {"name":"eth_tx_hash_present_optional", "ok": $e_ok_txfile, "tx": "$(json_escape "$e_tx")"},
    {"name":"eth_receipt_file_present_optional", "ok": $e_ok_receipt},
    {"name":"eth_tx_seen_by_rpc_optional", "ok": $e_ok_seen},
    {"name":"btc_txid_present_optional", "ok": $b_ok_txidfile, "txid": "$(json_escape "$b_txid")"},
    {"name":"btc_tx_seen_by_node_optional", "ok": $b_ok_seen}
  ],
  "blockers": $blockers,
  "warnings": $warn_json,
  "next_steps": ["archive PROOF.json and ROOT.txt", "anchor again if needed", "store verifier output as receipt"]
}
EOF

  echo "$out_dir" > "$OUTPUT_DIR/last_verify_dir.txt"
  log_info "Wrote $out_dir/status_matrix.json"
  cat "$out_dir/status_matrix.json"
}
main "$@"