//go:build llm_script

package main

import (
	"fmt"
	"os"
	"path/filepath"
	"strings"
	"time"
)

type cloudflarePricingSignatureGuardConfig struct {
	URL            string
	Fixture        string
	SnapshotDir    string
	BaselinePath   string
	Timeout        time.Duration
	AllowBootstrap bool
}

type cloudflarePricingSignatureGuardResult struct {
	SnapshotPath         string
	SignaturePath        string
	BaselinePath         string
	DriftDetected        bool
	BaselineInitialized  bool
	PreviousBaselineHash string
	CurrentSignature     markdownPricingStructureSignature
}

func runCloudflarePricingSignatureGuard(cfg cloudflarePricingSignatureGuardConfig, now time.Time) (cloudflarePricingSignatureGuardResult, error) {
	snapshotDir := cfg.SnapshotDir
	if snapshotDir == "" {
		snapshotDir = filepath.Join("logs", "cloudflare-pricing-snapshots")
	}
	if err := os.MkdirAll(snapshotDir, 0o755); err != nil {
		return cloudflarePricingSignatureGuardResult{}, fmt.Errorf("mkdir snapshot dir: %w", err)
	}

	snapshotPath, signaturePath := resolveCloudflarePricingSnapshotPaths("", "", snapshotDir, now)
	baselinePath := cfg.BaselinePath
	if baselinePath == "" {
		baselinePath = filepath.Join(snapshotDir, "baseline.signature.json")
	}

	clientCfg := cloudflarePricingImportConfig{
		URL:          cfg.URL,
		Fixture:      cfg.Fixture,
		DryRun:       true,
		Timeout:      cfg.Timeout,
		SnapshotOnly: true,
		SnapshotOut:  snapshotPath,
		SignatureOut: signaturePath,
	}
	if err := runCloudflarePricingImport(clientCfg, nil, ioDiscard{}); err != nil {
		return cloudflarePricingSignatureGuardResult{}, err
	}

	current, err := readMarkdownPricingStructureSignature(signaturePath)
	if err != nil {
		return cloudflarePricingSignatureGuardResult{}, err
	}
	result := cloudflarePricingSignatureGuardResult{
		SnapshotPath:     snapshotPath,
		SignaturePath:    signaturePath,
		BaselinePath:     baselinePath,
		CurrentSignature: current,
	}

	previous, err := readMarkdownPricingStructureSignature(baselinePath)
	if err != nil {
		if os.IsNotExist(err) {
			if !cfg.AllowBootstrap {
				return result, fmt.Errorf("cloudflare pricing baseline missing: %s", baselinePath)
			}
			if err := copyFileCommon(signaturePath, baselinePath); err != nil {
				return result, fmt.Errorf("initialize baseline: %w", err)
			}
			result.BaselineInitialized = true
			return result, nil
		}
		return result, err
	}

	result.PreviousBaselineHash = previous.StructureSHA256
	if previous.StructureSHA256 != current.StructureSHA256 {
		result.DriftDetected = true
		return result, fmt.Errorf(
			"cloudflare pricing structure drift detected: baseline=%s current=%s baseline_path=%s signature_path=%s snapshot_path=%s",
			previous.StructureSHA256, current.StructureSHA256, baselinePath, signaturePath, snapshotPath,
		)
	}
	return result, nil
}

func formatCloudflarePricingSignatureGuardSummary(result cloudflarePricingSignatureGuardResult) string {
	return fmt.Sprintf(
		"source=cloudflare-pricing-signature-guard drift=%t baseline_initialized=%t structure_sha256=%s previous_baseline_sha256=%s snapshot_out=%s signature_out=%s baseline_path=%s",
		result.DriftDetected,
		result.BaselineInitialized,
		result.CurrentSignature.StructureSHA256,
		emptyIfBlank(result.PreviousBaselineHash),
		result.SnapshotPath,
		result.SignaturePath,
		result.BaselinePath,
	)
}

func buildCloudflarePricingSignatureAuditRecord(cfg cloudflarePricingSignatureGuardConfig, result cloudflarePricingSignatureGuardResult, checkedAt time.Time, runErr error) officialImportSignatureAuditRecord {
	record := officialImportSignatureAuditRecord{
		SourceKey:               "cloudflare_pricing_signature",
		CheckedAt:               checkedAt,
		Status:                  officialImportSignatureAuditStatus(result.DriftDetected, result.BaselineInitialized, runErr),
		DriftDetected:           result.DriftDetected,
		BaselineInitialized:     result.BaselineInitialized,
		SourceURL:               strings.TrimSpace(cfg.URL),
		FixturePath:             strings.TrimSpace(cfg.Fixture),
		SnapshotPath:            strings.TrimSpace(result.SnapshotPath),
		SignaturePath:           strings.TrimSpace(result.SignaturePath),
		BaselinePath:            strings.TrimSpace(result.BaselinePath),
		StructureSHA256:         strings.TrimSpace(result.CurrentSignature.StructureSHA256),
		PreviousStructureSHA256: strings.TrimSpace(result.PreviousBaselineHash),
		ByteSize:                result.CurrentSignature.ByteSize,
		ErrorMessage:            errorMessageText(runErr),
	}
	if hasMarkdownPricingStructureSignature(result.CurrentSignature) {
		signatureCopy := result.CurrentSignature
		record.SignaturePayload = &signatureCopy
	}
	return record
}

func persistCloudflarePricingSignatureAuditIfConfigured(cfg cloudflarePricingSignatureGuardConfig, result cloudflarePricingSignatureGuardResult, checkedAt time.Time, runErr error) error {
	return persistOfficialImportSignatureAuditIfConfigured(buildCloudflarePricingSignatureAuditRecord(cfg, result, checkedAt, runErr))
}