#!/usr/bin/env bash
# LyDos Universal Installer — Linux + macOS
#
# Usage:
#   curl -fsSL https://lydos.ailydian.com/install | sh
#   curl -fsSL https://lydos.ailydian.com/install | sh -s -- --locale tr
#
# KURAL 31 — secure, short, idempotent, multi-OS, multi-language.
# Mock/demo YASAK.

set -eu
umask 077

# ─── Config ────────────────────────────────────────────────────────────────

LYDOS_API="${LYDOS_API:-https://lydos.ailydian.com}"
REPO="${LYDOS_REPO:-https://github.com/lydianai/AILYDIAN-AGENT-ORCHESTRATOR.git}"
RAW_BASE="${LYDOS_RAW:-https://raw.githubusercontent.com/lydianai/AILYDIAN-AGENT-ORCHESTRATOR/main}"
INSTALL_PREFIX="${LYDOS_PREFIX:-$HOME/.local}"
STATE_DIR="$HOME/.lydos"
BIN="$INSTALL_PREFIX/bin/lydos"
VENV_DIR="${LYDOS_VENV:-$HOME/.ailydian-venv}"

NEED_PYTHON_MIN="3.9"
NEED_PKGS="git curl"

QUIET=0
AUTO_LOGIN=1
LANG_OVERRIDE=""

while [ $# -gt 0 ]; do
    case "$1" in
        --quiet|-q)   QUIET=1 ;;
        --no-login)   AUTO_LOGIN=0 ;;
        --locale)     shift; LANG_OVERRIDE="$1" ;;
        --prefix)     shift; INSTALL_PREFIX="$1"; BIN="$INSTALL_PREFIX/bin/lydos" ;;
        --help|-h)
            cat <<EOF
LyDos Installer — $LYDOS_API

Usage:
  curl -fsSL $LYDOS_API/install | sh
  curl -fsSL $LYDOS_API/install | sh -s -- [--locale tr] [--no-login] [--quiet]

Options:
  --locale LANG    Override auto-detect (tr/en/de/fr/es/ar/zh/ja/pt/ru/it/ko)
  --no-login       Skip automatic lydos login
  --quiet          Suppress progress output
EOF
            exit 0 ;;
    esac
    shift
done

# ─── Locale auto-detect ────────────────────────────────────────────────────

_detect_locale() {
    [ -n "$LANG_OVERRIDE" ] && { echo "$LANG_OVERRIDE"; return; }
    for v in "${LC_ALL:-}" "${LC_MESSAGES:-}" "${LANG:-}"; do
        [ -n "$v" ] || continue
        code=$(echo "$v" | cut -d. -f1 | cut -d_ -f1 | tr '[:upper:]' '[:lower:]')
        case "$code" in
            tr|en|de|fr|es|ar|zh|ja|pt|ru|it|ko)
                echo "$code"; return ;;
        esac
    done
    echo "en"
}

LOCALE=$(_detect_locale)

# ─── i18n ──────────────────────────────────────────────────────────────────

_msg() {
    key="$1"
    case "${LOCALE}_${key}" in
        tr_start)      echo "LyDos kurulumu başlıyor…" ;;
        en_start)      echo "LyDos installation starting…" ;;
        de_start)      echo "LyDos-Installation wird gestartet…" ;;
        fr_start)      echo "Installation LyDos en cours…" ;;
        es_start)      echo "Iniciando instalación de LyDos…" ;;
        ar_start)      echo "بدء تثبيت LyDos…" ;;
        zh_start)      echo "LyDos 安装中…" ;;
        ja_start)      echo "LyDos をインストールしています…" ;;
        pt_start)      echo "Iniciando instalação do LyDos…" ;;
        ru_start)      echo "Начинается установка LyDos…" ;;
        it_start)      echo "Avvio installazione LyDos…" ;;
        ko_start)      echo "LyDos 설치 시작…" ;;

        tr_os_detect)  echo "Sistem tespit ediliyor…" ;;
        en_os_detect)  echo "Detecting system…" ;;

        tr_deps_check) echo "Bağımlılıklar kontrol ediliyor (git, python3)…" ;;
        en_deps_check) echo "Checking dependencies (git, python3)…" ;;

        tr_installing) echo "LyDos kopyalanıyor…" ;;
        en_installing) echo "Copying LyDos…" ;;

        tr_systemd)    echo "Arka plan servisleri kuruluyor…" ;;
        en_systemd)    echo "Setting up background services…" ;;

        tr_done)       echo "✓ Kurulum tamamlandı." ;;
        en_done)       echo "✓ Installation complete." ;;

        tr_login_prompt) echo "Şimdi giriş yapmak için: lydos login" ;;
        en_login_prompt) echo "Run 'lydos login' to authenticate" ;;

        tr_binary_found)    echo "Release binary bulundu" ;;
        en_binary_found)    echo "Release binary found" ;;
        tr_binary_verified) echo "SHA-256 doğrulandı" ;;
        en_binary_verified) echo "SHA-256 verified" ;;
        tr_binary_installed) echo "Binary kuruldu" ;;
        en_binary_installed) echo "Binary installed" ;;
        tr_fallback_git)    echo "Binary bulunamadı — git checkout ile devam ediliyor" ;;
        en_fallback_git)    echo "Binary not available — falling back to git checkout" ;;
        *) echo "$key" ;;
    esac
}

log() { [ "$QUIET" = 1 ] || echo "  [lydos] $1"; }

# ─── OS + Arch detect ──────────────────────────────────────────────────────

detect_os() {
    case "$(uname -s)" in
        Linux*)  echo "linux" ;;
        Darwin*) echo "darwin" ;;
        *)       echo "unsupported" ;;
    esac
}

detect_arch() {
    case "$(uname -m)" in
        x86_64|amd64)   echo "x86_64" ;;
        aarch64|arm64)  echo "arm64" ;;
        *)              echo "unknown" ;;
    esac
}

OS=$(detect_os)
ARCH=$(detect_arch)

if [ "$OS" = "unsupported" ]; then
    echo "[lydos] ERROR: Unsupported OS $(uname -s). Windows: use install-lydos.ps1" >&2
    exit 2
fi

log "$(_msg start)"
log "$(_msg os_detect): $OS/$ARCH (lang=$LOCALE)"


# ─── Binary download (GitHub Releases) — prefer over git checkout ───────────

RELEASES_API="${LYDOS_RELEASES_API:-https://api.github.com/repos/lydianai/AILYDIAN-AGENT-ORCHESTRATOR/releases}"

_try_binary_install() {
    local os_name="$1" arch_name="$2"
    local asset_suffix

    case "$os_name/$arch_name" in
        linux/x86_64)  asset_suffix="linux-x86_64.tar.gz" ;;
        linux/arm64)   asset_suffix="linux-arm64.tar.gz" ;;
        darwin/x86_64) asset_suffix="darwin-x86_64.tar.gz" ;;
        darwin/arm64)  asset_suffix="darwin-arm64.tar.gz" ;;
        *) return 1 ;;
    esac

    # Get latest release matching cli-v prefix
    local tag
    tag=$(curl -sfm 5 "$RELEASES_API" 2>/dev/null | \
          python3 -c "
import json, sys
try:
    data = json.load(sys.stdin)
    for r in data:
        tn = r.get('tag_name', '')
        if tn.startswith('cli-v') and not r.get('draft') and not r.get('prerelease'):
            print(tn); break
except Exception: pass
" 2>/dev/null)

    [ -n "$tag" ] || return 1

    local url="https://github.com/lydianai/AILYDIAN-AGENT-ORCHESTRATOR/releases/download/${tag}/lydos-${asset_suffix}"
    local tmp="$(mktemp -d)"
    trap 'rm -rf "$tmp"' RETURN

    log "$(_msg 'binary_found'): $tag ($asset_suffix)"

    if ! curl -fsSL -m 60 -o "$tmp/lydos.tar.gz" "$url" 2>/dev/null; then
        log "(binary download failed — falling back to git checkout)"
        return 1
    fi

    # Verify SHA-256 if available
    local sha_url="https://github.com/lydianai/AILYDIAN-AGENT-ORCHESTRATOR/releases/download/${tag}/SHA256SUMS.txt"
    if curl -fsSL -m 10 -o "$tmp/SHA256SUMS.txt" "$sha_url" 2>/dev/null; then
        local expected actual
        expected=$(grep "lydos-${asset_suffix}" "$tmp/SHA256SUMS.txt" 2>/dev/null | awk '{print $1}' | head -1)
        if [ -n "$expected" ]; then
            if command -v sha256sum >/dev/null; then
                actual=$(sha256sum "$tmp/lydos.tar.gz" | awk '{print $1}')
            else
                actual=$(shasum -a 256 "$tmp/lydos.tar.gz" | awk '{print $1}')
            fi
            if [ "$expected" != "$actual" ]; then
                log "ERROR: binary SHA-256 mismatch — aborting binary install"
                return 1
            fi
            log "$(_msg 'binary_verified')"
        fi
    fi

    # Extract
    tar -xzf "$tmp/lydos.tar.gz" -C "$tmp" 2>/dev/null || return 1
    local extracted="$tmp/lydos-${asset_suffix%.tar.gz}"
    [ -f "$extracted" ] || extracted="$tmp/lydos"
    [ -f "$extracted" ] || return 1

    cp -f "$extracted" "$BIN"
    chmod 755 "$BIN"
    log "$(_msg 'binary_installed'): $BIN"
    return 0
}


# ─── Dependency check ──────────────────────────────────────────────────────

log "$(_msg deps_check)"
MISSING=""
for pkg in git curl python3; do
    command -v "$pkg" >/dev/null 2>&1 || MISSING="$MISSING $pkg"
done

if [ -n "$MISSING" ]; then
    echo "[lydos] MISSING:$MISSING" >&2
    case "$OS" in
        linux)
            if command -v apt-get >/dev/null; then
                echo "[lydos] Try: sudo apt-get install -y$MISSING" >&2
            elif command -v dnf >/dev/null; then
                echo "[lydos] Try: sudo dnf install -y$MISSING" >&2
            elif command -v pacman >/dev/null; then
                echo "[lydos] Try: sudo pacman -S --needed$MISSING" >&2
            fi ;;
        darwin)
            if command -v brew >/dev/null; then
                echo "[lydos] Try: brew install$MISSING" >&2
            else
                echo "[lydos] Install Homebrew: https://brew.sh" >&2
            fi ;;
    esac
    exit 3
fi

# Python version check
PY_VER=$(python3 -c "import sys; print(f'{sys.version_info.major}.{sys.version_info.minor}')")
PY_OK=$(python3 -c "import sys; print(1 if sys.version_info >= (3,9) else 0)")
if [ "$PY_OK" != "1" ]; then
    echo "[lydos] ERROR: Python >= $NEED_PYTHON_MIN required (have $PY_VER)" >&2
    exit 4
fi

# ─── Workspace prep ────────────────────────────────────────────────────────

# Defensive mkdir: pre-flight check writability of $INSTALL_PREFIX. If
# any directory creation fails, suggest --prefix and exit cleanly so
# the user is not left with a half-installed state.
if ! mkdir -p "$INSTALL_PREFIX/bin" "$STATE_DIR" "$INSTALL_PREFIX/share/lydos" 2>/dev/null; then
    echo "[lydos] ERROR: cannot create $INSTALL_PREFIX (Permission denied?)" >&2
    echo "[lydos] Hint: re-run with --prefix flag, e.g.:" >&2
    echo "[lydos]   curl -fsSL $LYDOS_API/install | sh -s -- --prefix \$HOME/lydos" >&2
    echo "[lydos] Or set LYDOS_PREFIX env var:" >&2
    echo "[lydos]   LYDOS_PREFIX=\$HOME/lydos curl -fsSL $LYDOS_API/install | sh" >&2
    exit 6
fi

WORKSPACE="$INSTALL_PREFIX/share/lydos/checkout"
log "$(_msg installing)"

# Try binary download first (if release asset available)
if _try_binary_install "$OS" "$ARCH"; then
    BINARY_OK=1
else
    BINARY_OK=0
    log "$(_msg 'fallback_git')"
fi

if [ "${BINARY_OK:-0}" = "0" ]; then
if [ -n "${LYDOS_REPO_LOCAL:-}" ] && [ -d "$LYDOS_REPO_LOCAL" ]; then
    # Local source override (CI / clean-install regression / private-repo install)
    log "using local source: $LYDOS_REPO_LOCAL"
    rm -rf "$WORKSPACE"
    mkdir -p "$WORKSPACE"
    cp -a "$LYDOS_REPO_LOCAL/." "$WORKSPACE/" || {
        echo "[lydos] ERROR: copy from LYDOS_REPO_LOCAL failed" >&2
        exit 5
    }
elif [ -d "$WORKSPACE/.git" ]; then
    ( cd "$WORKSPACE" && git pull --ff-only --quiet 2>/dev/null ) || \
        log "(update skipped — using cached checkout)"
else
    rm -rf "$WORKSPACE"
    git clone --depth 1 --quiet "$REPO" "$WORKSPACE" || {
        echo "[lydos] ERROR: git clone failed from $REPO" >&2
        exit 5
    }
fi

# Symlink lydos CLI
cp -f "$WORKSPACE/scripts/lydos" "$BIN"
chmod 755 "$BIN"
fi  # end BINARY_OK=0

# Ensure venv (optional — CLI works with system python3)
if [ ! -d "$VENV_DIR" ]; then
    python3 -m venv "$VENV_DIR" 2>/dev/null || log "(venv create skipped)"
fi

# Add $INSTALL_PREFIX/bin to PATH in common shell profiles if missing.
# Defensive: write-attempt MUST NOT abort the installer (set -eu).
# .zshrc owned by another user / read-only filesystem / Docker overlay
# are all common on shared boxes — fall back to printing the export line.
_PATH_LINE_NEEDED=1
for profile in "$HOME/.bashrc" "$HOME/.zshrc" "$HOME/.profile"; do
    [ -f "$profile" ] || continue
    if ! grep -q "$INSTALL_PREFIX/bin" "$profile" 2>/dev/null; then
        # The whole heredoc + redirect lives inside an `if` so a write
        # failure (Permission denied / EROFS / quota) does not poison
        # the script's exit status under `set -e`.
        if {
                printf '\n# LyDos CLI — %s\n' "$(date +%Y-%m-%d)"
                printf 'case ":$PATH:" in *":%s/bin:"*) ;; *) export PATH="%s/bin:$PATH" ;; esac\n' \
                       "$INSTALL_PREFIX" "$INSTALL_PREFIX"
            } >> "$profile" 2>/dev/null; then
            log "PATH added to $(basename "$profile")"
            _PATH_LINE_NEEDED=0
        else
            log "(PATH write skipped — $profile not writable)"
        fi
    else
        _PATH_LINE_NEEDED=0
    fi
done

if [ "$_PATH_LINE_NEEDED" = 1 ]; then
    log ""
    log "Add this line manually to your shell profile to use 'lydos' from anywhere:"
    log "    export PATH=\"$INSTALL_PREFIX/bin:\$PATH\""
    log ""
fi

# ─── Per-user daemons (systemd user / launchd) ─────────────────────────────

log "$(_msg systemd)"

if [ "$OS" = "linux" ] && command -v systemctl >/dev/null; then
    if [ -x "$WORKSPACE/scripts/lydos-q158-user-install.sh" ]; then
        LYDOS_ROOT="$WORKSPACE" bash "$WORKSPACE/scripts/lydos-q158-user-install.sh" --quiet || \
            log "(q158 installer warning — not fatal)"
    fi
elif [ "$OS" = "darwin" ]; then
    # macOS launchd plist
    PLIST_DIR="$HOME/Library/LaunchAgents"
    mkdir -p "$PLIST_DIR"
    PLIST="$PLIST_DIR/com.lydian.lydos-q158.plist"
    cat > "$PLIST" <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
  <key>Label</key><string>com.lydian.lydos-q158</string>
  <key>ProgramArguments</key>
  <array>
    <string>$BIN</string>
    <string>status</string>
  </array>
  <key>StartInterval</key><integer>300</integer>
  <key>RunAtLoad</key><true/>
  <key>StandardOutPath</key><string>$STATE_DIR/q158.log</string>
  <key>StandardErrorPath</key><string>$STATE_DIR/q158.log</string>
</dict>
</plist>
EOF
    chmod 644 "$PLIST"
    launchctl unload "$PLIST" 2>/dev/null || true
    launchctl load "$PLIST" 2>/dev/null || log "(launchd load warning)"
fi

# ─── Done ──────────────────────────────────────────────────────────────────

log "$(_msg done)"
log "Binary    : $BIN"
log "Workspace : $WORKSPACE"
log "State     : $STATE_DIR"

# Auto-login (unless disabled)
if [ "$AUTO_LOGIN" = "1" ] && [ -t 0 ]; then
    log "$(_msg login_prompt)"
    if "$BIN" login 2>/dev/null; then
        :
    else
        log "(run 'lydos login' manually when ready)"
    fi
else
    log "$(_msg login_prompt)"
fi

exit 0