#!/usr/bin/env bash
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
SKILL_ROOT="$(dirname "$SCRIPT_DIR")"
source "$SCRIPT_DIR/_common.sh"

: "${VAULT_ROOT:=~/infrastructure/vault}"
: "${AGE_KEYS_FILE:=~/.config/sops/age/keys.txt}"
: "${RECIPIENTS_FILE:=$SKILL_ROOT/outputs/recipients.txt}"

main() {
  vr="$(expand_path "$VAULT_ROOT")"
  kf="$(expand_path "$AGE_KEYS_FILE")"

  status="$SKILL_ROOT/outputs/status_matrix.json"
  ok_keys=false; ok_perm=false; ok_policy=false; ok_cipher=false

  [[ -f "$kf" ]] && ok_keys=true
  if [[ -f "$kf" ]]; then
    perm="$(stat -c '%a' "$kf" 2>/dev/null || echo "")"
    [[ "$perm" == "600" ]] && ok_perm=true
  fi

  [[ -f "$vr/.sops.yaml" ]] && ok_policy=true
  if [[ -f "$vr/secrets/cloudflare.enc.yaml" && -f "$vr/secrets/gitea.enc.yaml" && -f "$vr/secrets/registry.enc.yaml" && -f "$vr/secrets/k8s.enc.yaml" ]]; then
    ok_cipher=true
  fi

  blockers="[]"
  if [[ "$ok_keys" != "true" ]]; then blockers='["missing_age_identity"]'
  elif [[ "$ok_policy" != "true" ]]; then blockers='["missing_sops_policy"]'
  elif [[ "$ok_cipher" != "true" ]]; then blockers='["missing_encrypted_templates"]'
  fi

  cat > "$status" <<EOF
{
  "skill":"secrets-vault",
  "timestamp":"$(date -Iseconds)",
  "vault_root":"$(json_escape "$vr")",
  "checks":[
    {"name":"age_identity_present", "ok": $ok_keys, "path":"$(json_escape "$kf")"},
    {"name":"age_identity_perm_600", "ok": $ok_perm},
    {"name":"sops_policy_present", "ok": $ok_policy, "path":"$(json_escape "$vr/.sops.yaml")"},
    {"name":"encrypted_templates_present", "ok": $ok_cipher}
  ],
  "blockers": $blockers,
  "warnings": [],
  "next_steps": ["commit vault ciphertext to git", "cloudflare-tunnel-manager", "container-registry"]
}
EOF

  log_info "Wrote $status"
  cat "$status"
}
main "$@"