#!/usr/bin/env bash
# Siliqua agent installer
# Source: https://get.siliqua.io  (deploy/phase0/scripts/install.sh in the repo)
#
# One-liner:
#   curl -fsSL https://get.siliqua.io | bash
#
# Env overrides:
#   SILIQUA_BASE_URL    — where to fetch binaries (default: https://siliqua.io)
#   SILIQUA_INSTALL_DIR — install location (default: /usr/local/bin)

set -euo pipefail

BASE_URL="${SILIQUA_BASE_URL:-https://siliqua.io}"
INSTALL_DIR="${SILIQUA_INSTALL_DIR:-/usr/local/bin}"
BINARY_NAME="siliqua-agent"

# --- Detect OS + arch ---
detect_platform() {
    local os arch
    os=$(uname -s | tr '[:upper:]' '[:lower:]')
    arch=$(uname -m)
    case "$arch" in
        x86_64|amd64) arch=amd64 ;;
        aarch64|arm64) arch=arm64 ;;
        *) echo "Unsupported architecture: $arch" >&2; exit 1 ;;
    esac
    case "$os" in
        linux|darwin) ;;
        *) echo "Unsupported OS: $os (use install.ps1 on Windows)" >&2; exit 1 ;;
    esac
    echo "${os}-${arch}"
}

PLATFORM=$(detect_platform)
DOWNLOAD_URL="${BASE_URL}/downloads/${BINARY_NAME}-${PLATFORM}"
SHA256_URL="${BASE_URL}/downloads/SHA256SUMS"

echo "▶ Detected platform: ${PLATFORM}"
echo "▶ Downloading ${DOWNLOAD_URL}"

# --- Download to temp ---
TMP=$(mktemp)
trap 'rm -f "${TMP}" "${TMP}.shas"' EXIT
curl -fsSL -o "${TMP}" "${DOWNLOAD_URL}"

# --- SHA-256 verification ---
# Best-effort: warn if SHA256SUMS unreachable; fail hard on mismatch.
if curl -fsSL "${SHA256_URL}" -o "${TMP}.shas" 2>/dev/null; then
    EXPECTED=$(grep "${BINARY_NAME}-${PLATFORM}" "${TMP}.shas" | awk '{print $1}' | head -1)
    if command -v sha256sum >/dev/null 2>&1; then
        ACTUAL=$(sha256sum "${TMP}" | awk '{print $1}')
    elif command -v shasum >/dev/null 2>&1; then
        ACTUAL=$(shasum -a 256 "${TMP}" | awk '{print $1}')
    else
        echo "⚠ Neither sha256sum nor shasum available — skipping verification" >&2
        ACTUAL="${EXPECTED}"
    fi
    if [ -z "${EXPECTED}" ]; then
        echo "⚠ ${BINARY_NAME}-${PLATFORM} not in SHA256SUMS — skipping verification" >&2
    elif [ "${EXPECTED}" != "${ACTUAL}" ]; then
        echo "✗ SHA-256 mismatch — refusing to install" >&2
        echo "  expected: ${EXPECTED}" >&2
        echo "  actual:   ${ACTUAL}" >&2
        exit 1
    else
        echo "▶ SHA-256 verified"
    fi
else
    echo "⚠ Could not fetch ${SHA256_URL} — skipping verification" >&2
fi

# --- Install ---
if [ -w "${INSTALL_DIR}" ]; then
    install -m 0755 "${TMP}" "${INSTALL_DIR}/${BINARY_NAME}"
else
    sudo install -m 0755 "${TMP}" "${INSTALL_DIR}/${BINARY_NAME}"
fi

echo "✓ Installed ${INSTALL_DIR}/${BINARY_NAME}"
echo
echo "Next:"
echo "  1. Get a token at ${BASE_URL}/supply/agent"
echo "  2. Start the agent:  ${BINARY_NAME} start --token <YOUR_TOKEN>"