#!/bin/bash
set -e

# Bootstrap installer - Universal kickstart script
# Decrypts and executes target-specific setup scripts

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"

# Default target is nbmain (nbase2)
TARGET="${1:-nbmain}"

ENC_FILE="${SCRIPT_DIR}/${TARGET}.sh.enc"
NBCRYPT="${SCRIPT_DIR}/nbcrypt"

echo "🚀 Bootstrap: Starting ${TARGET}..."

# Check if encrypted script exists
if [ ! -f "$ENC_FILE" ]; then
    echo "❌ Error: Target '${TARGET}' not found."
    echo "   Expected file: ${ENC_FILE}"
    exit 1
fi

# Check if nbcrypt exists
if [ ! -f "$NBCRYPT" ]; then
    echo "❌ Error: nbcrypt not found at ${NBCRYPT}"
    exit 1
fi

# Load SSH Agent environment BEFORE running nbcrypt
# This ensures nbcrypt can find the Ed25519 key without prompting for BWS token
AGENT_ENV_FILE="/tmp/.nb_agent_env_${USER:-$(id -un)}"
if [ -f "$AGENT_ENV_FILE" ]; then
    # Check if we already have a valid SSH_AUTH_SOCK (Agent Forward)
    # But also verify it actually works with ssh-add -l
    if [ -n "${SSH_AUTH_SOCK:-}" ] && [ -S "${SSH_AUTH_SOCK}" ]; then
        # Test if the agent actually works
        if ssh-add -l >/dev/null 2>&1; then
            # Agent Forward exists and works, preserve it and skip file loading
            echo "🔑 Using existing SSH Agent Forward (preserved)"
        else
            # Agent Forward exists but doesn't work (stale socket), load from file
            echo "🔑 Existing SSH Agent Forward is stale, loading from file..."
            source "$AGENT_ENV_FILE"
        fi
    else
        # No valid agent, safe to load from file
        echo "🔑 Loading SSH Agent environment..."
        source "$AGENT_ENV_FILE"
    fi
fi

# Ed25519 が無いときは BWS から鍵を取得して ssh-add（--keep でディスクに残す）
if ! ssh-add -l 2>/dev/null | grep -q ED25519; then
    "$NBCRYPT" keychain --keep
    [ -f "$AGENT_ENV_FILE" ] && source "$AGENT_ENV_FILE"
fi

# Decrypt and execute
echo "🔐 Decrypting ${TARGET}.sh..."
TEMP_SCRIPT="/tmp/${TARGET}-$$.sh"

if "$NBCRYPT" decfile "$ENC_FILE" "$TEMP_SCRIPT"; then
    chmod +x "$TEMP_SCRIPT"
    
    # Reload SSH Agent environment if it was updated by nbcrypt/BWS setup
    # (in case BWS setup created a new agent)
    if [ -f "$AGENT_ENV_FILE" ]; then
        # Check if we already have a valid SSH_AUTH_SOCK (Agent Forward)
        if [ -z "${SSH_AUTH_SOCK:-}" ] || [ ! -S "${SSH_AUTH_SOCK}" ]; then
            # No valid agent, safe to load from file
            source "$AGENT_ENV_FILE"
        fi
    fi
    
    echo "✅ Executing ${TARGET} setup..."
    exec bash "$TEMP_SCRIPT"
else
    echo "❌ Decryption failed."
    echo "   Please ensure your Ed25519 key is loaded in SSH Agent."
    rm -f "$TEMP_SCRIPT"
    exit 1
fi