#!/usr/bin/env bash
# Launch Codex through the condense OpenAI Responses proxy.

set -euo pipefail

MODE="pub"
DEFAULT_API_URL="https://api.condense.chat"
LOGIN_URL="https://login.condense.chat"

CONDENSE_API_URL="${CONDENSE_URL:-$DEFAULT_API_URL}"
CONFIG_BASE="${XDG_CONFIG_HOME:-$HOME/.config}/condense"
STATE_DIR="${CONFIG_BASE}/${MODE}/codex"
CONDENSE_USER_FILE="${CONDENSE_USER_FILE:-${STATE_DIR}/user}"
CONDENSE_TOKEN_FILE="${CONDENSE_TOKEN_FILE:-${STATE_DIR}/token}"

mkdir -p "$STATE_DIR"

json_get() {
  local key="$1"
  python3 -c '
import json
import sys

obj = json.load(sys.stdin)
value = obj.get(sys.argv[1], "")
if value is None:
    value = ""
print(value)
' "$key"
}

run_device_flow() {
  echo "starting authorization with $CONDENSE_API_URL ..." >&2
  START_RESP="$(curl -fsSL -X POST -H 'content-type: application/json' "$CONDENSE_API_URL/cc/device/start" -d '{}')" || {
    echo "device/start failed; could not reach $CONDENSE_API_URL/cc/device/start" >&2
    exit 1
  }
  if ! command -v python3 >/dev/null 2>&1; then
    echo "python3 is required to parse authorization responses safely." >&2
    exit 127
  fi
  DEVICE_CODE="$(printf '%s' "$START_RESP" | json_get device_code)"
  USER_CODE="$(printf '%s' "$START_RESP" | json_get user_code)"
  INTERVAL="$(printf '%s' "$START_RESP" | json_get interval)"
  EXPIRES_IN="$(printf '%s' "$START_RESP" | json_get expires_in)"
  INTERVAL="${INTERVAL:-2}"
  EXPIRES_IN="${EXPIRES_IN:-600}"

  LINK_URL="${LOGIN_URL}/cli?code=${USER_CODE}"
  cat <<EOF >&2

Open this URL in your browser to authorise Codex:

  ${LINK_URL}

Code: ${USER_CODE}

EOF
  if [ "${CONDENSE_NO_OPEN:-}" != "1" ]; then
    if command -v open >/dev/null 2>&1; then
      open "$LINK_URL" >/dev/null 2>&1 || true
    elif command -v xdg-open >/dev/null 2>&1; then
      xdg-open "$LINK_URL" >/dev/null 2>&1 || true
    fi
  fi

  DEADLINE=$(( $(date +%s) + EXPIRES_IN ))
  while :; do
    if [ "$(date +%s)" -ge "$DEADLINE" ]; then
      echo "authorization timed out after ${EXPIRES_IN}s" >&2
      exit 1
    fi
    sleep "$INTERVAL"
    POLL_RESP="$(curl -fsSL -X POST -H 'content-type: application/json' "$CONDENSE_API_URL/cc/device/poll" -d "{\"device_code\":\"$DEVICE_CODE\"}")" || continue
    STATUS="$(printf '%s' "$POLL_RESP" | json_get status)"
    if [ "$STATUS" = "consumed" ]; then
      TOKEN="$(printf '%s' "$POLL_RESP" | json_get token)"
      USER_ID="$(printf '%s' "$POLL_RESP" | json_get user_id)"
      if [ -z "$TOKEN" ]; then
        echo "device/poll returned status=consumed without a token" >&2
        exit 1
      fi
      umask 077
      printf '%s\n' "$TOKEN" > "$CONDENSE_TOKEN_FILE"
      if [ -n "$USER_ID" ]; then
        printf '%s\n' "$USER_ID" > "$CONDENSE_USER_FILE"
      fi
      echo "authorized." >&2
      return 0
    fi
    if [ "$STATUS" = "expired" ]; then
      echo "device code expired before authorization" >&2
      exit 1
    fi
  done
}

probe_token() {
  local token="$1"
  curl -sS -o /dev/null -m 10 -w '%{http_code}' \
    -H "x-condense-auth-token: ${token}" \
    "${CONDENSE_API_URL}/me" 2>/dev/null || echo "000"
}

if [ "$MODE" = "pub" ]; then
  if [ ! -s "$CONDENSE_TOKEN_FILE" ]; then
    run_device_flow
  fi
  CONDENSE_TOKEN="$(tr -d '[:space:]' < "$CONDENSE_TOKEN_FILE")"
  if [ -z "$CONDENSE_TOKEN" ]; then
    echo "token file $CONDENSE_TOKEN_FILE is empty; rotating..." >&2
    rm -f "$CONDENSE_TOKEN_FILE"
    run_device_flow
    CONDENSE_TOKEN="$(tr -d '[:space:]' < "$CONDENSE_TOKEN_FILE")"
  fi
  STATUS_CODE="$(probe_token "$CONDENSE_TOKEN")"
  if [ "$STATUS_CODE" = "401" ] || [ "$STATUS_CODE" = "403" ]; then
    echo "stored token rejected (status=${STATUS_CODE}); re-running device flow..." >&2
    rm -f "$CONDENSE_TOKEN_FILE"
    run_device_flow
    CONDENSE_TOKEN="$(tr -d '[:space:]' < "$CONDENSE_TOKEN_FILE")"
  fi
else
  if [ ! -s "$CONDENSE_USER_FILE" ]; then
    echo "registering with $CONDENSE_API_URL ..." >&2
    if ! curl -fsSL -X POST "$CONDENSE_API_URL/register" -o "$CONDENSE_USER_FILE"; then
      echo "register failed; could not reach $CONDENSE_API_URL/register" >&2
      rm -f "$CONDENSE_USER_FILE"
      exit 1
    fi
  fi
  CONDENSE_TOKEN=""
fi

CONDENSE_USER_ID=""
if [ -s "$CONDENSE_USER_FILE" ]; then
  CONDENSE_USER_ID="$(tr -d '[:space:]' < "$CONDENSE_USER_FILE")"
fi

export CONDENSE_AUTH_TOKEN="$CONDENSE_TOKEN"
export CONDENSE_USER_ID="$CONDENSE_USER_ID"
export CONDENSE_CLIENT="codex"

toml_escape() {
  local value="$1"
  value="${value//\\/\\\\}"
  value="${value//\"/\\\"}"
  printf '%s' "$value"
}

CONDENSE_CODEX_HEADERS="{\"x-condense-auth-token\"=\"$(toml_escape "$CONDENSE_TOKEN")\",\"x-condense-user-id\"=\"$(toml_escape "$CONDENSE_USER_ID")\",\"x-condense-client\"=\"codex\"}"

if ! command -v codex >/dev/null 2>&1; then
  echo "codex CLI not found on PATH." >&2
  echo "Install: npm install -g @openai/codex" >&2
  exit 127
fi

echo "dashboard: ${LOGIN_URL/login./helm.}" >&2
exec codex \
  -c 'model_provider="condense"' \
  -c 'model_providers.condense.name="OpenAI"' \
  -c "model_providers.condense.base_url=\"${CONDENSE_API_URL}/v1\"" \
  -c 'model_providers.condense.wire_api="responses"' \
  -c 'model_providers.condense.requires_openai_auth=true' \
  -c 'model_providers.condense.supports_websockets=true' \
  -c "model_providers.condense.http_headers=${CONDENSE_CODEX_HEADERS}" \
  "$@"