//go:build llm_script

package main

import (
	"fmt"
	"net/http"
	"os"
	"path/filepath"
	"strings"
	"time"
)

type deepseekPricingSignatureGuardConfig struct {
	SourceKey       string
	URL             string
	Fixture         string
	SnapshotDir     string
	BaselinePath    string
	Timeout         time.Duration
	AllowBootstrap  bool
	SnapshotBase    string
	SourceKindLabel string
}

type deepseekPricingSignatureGuardResult struct {
	SnapshotPath         string
	SignaturePath        string
	BaselinePath         string
	DriftDetected        bool
	BaselineInitialized  bool
	PreviousBaselineHash string
	CurrentSignature     deepseekPricingStructureSignature
}

const defaultDeepSeekPricingFetchURL = "https://platform.deepseek.com/pricing"
const defaultDeepSeekAPIPricingFetchURL = "https://platform.deepseek.com/docs/api-pricing"

func runDeepSeekPricingSignatureGuard(cfg deepseekPricingSignatureGuardConfig, now time.Time) (deepseekPricingSignatureGuardResult, error) {
	snapshotDir := cfg.SnapshotDir
	if snapshotDir == "" {
		snapshotDir = filepath.Join("logs", cfg.SnapshotBase+"-snapshots")
	}
	if err := os.MkdirAll(snapshotDir, 0o755); err != nil {
		return deepseekPricingSignatureGuardResult{}, fmt.Errorf("mkdir snapshot dir: %w", err)
	}
	snapshotPath, signaturePath := resolveDeepSeekPricingSnapshotPaths("", "", snapshotDir, cfg.SnapshotBase, now)
	baselinePath := cfg.BaselinePath
	if baselinePath == "" {
		baselinePath = filepath.Join(snapshotDir, "baseline.signature.json")
	}
	client := &http.Client{Timeout: cfg.Timeout}
	raw, err := fetchSubscriptionPage(cfg.URL, cfg.Fixture, client)
	if err != nil {
		return deepseekPricingSignatureGuardResult{}, err
	}
	current, err := writeDeepSeekPricingSnapshotArtifacts(raw, cfg.URL, snapshotPath, signaturePath, now)
	if err != nil {
		return deepseekPricingSignatureGuardResult{}, err
	}
	result := deepseekPricingSignatureGuardResult{
		SnapshotPath:     snapshotPath,
		SignaturePath:    signaturePath,
		BaselinePath:     baselinePath,
		CurrentSignature: current,
	}
	previous, err := readDeepSeekPricingStructureSignature(baselinePath)
	if err != nil {
		if os.IsNotExist(err) {
			if !cfg.AllowBootstrap {
				return result, fmt.Errorf("%s baseline missing: %s", cfg.SourceKey, baselinePath)
			}
			if err := copyFileCommon(signaturePath, baselinePath); err != nil {
				return result, fmt.Errorf("initialize baseline: %w", err)
			}
			result.BaselineInitialized = true
			return result, nil
		}
		return result, err
	}
	result.PreviousBaselineHash = previous.StructureSHA256
	if previous.StructureSHA256 != current.StructureSHA256 {
		result.DriftDetected = true
		return result, fmt.Errorf(
			"%s structure drift detected: baseline=%s current=%s baseline_path=%s signature_path=%s snapshot_path=%s",
			cfg.SourceKey, previous.StructureSHA256, current.StructureSHA256, baselinePath, signaturePath, snapshotPath,
		)
	}
	return result, nil
}

func formatDeepSeekPricingSignatureGuardSummary(sourceKey string, result deepseekPricingSignatureGuardResult) string {
	return fmt.Sprintf(
		"source=%s drift=%t baseline_initialized=%t structure_sha256=%s previous_baseline_sha256=%s snapshot_out=%s signature_out=%s baseline_path=%s",
		sourceKey,
		result.DriftDetected,
		result.BaselineInitialized,
		result.CurrentSignature.StructureSHA256,
		emptyIfBlank(result.PreviousBaselineHash),
		result.SnapshotPath,
		result.SignaturePath,
		result.BaselinePath,
	)
}

func buildDeepSeekPricingSignatureAuditRecord(cfg deepseekPricingSignatureGuardConfig, result deepseekPricingSignatureGuardResult, checkedAt time.Time, runErr error) officialImportSignatureAuditRecord {
	record := officialImportSignatureAuditRecord{
		SourceKey:               cfg.SourceKey,
		CheckedAt:               checkedAt,
		Status:                  officialImportSignatureAuditStatus(result.DriftDetected, result.BaselineInitialized, runErr),
		DriftDetected:           result.DriftDetected,
		BaselineInitialized:     result.BaselineInitialized,
		SourceURL:               strings.TrimSpace(cfg.URL),
		FixturePath:             strings.TrimSpace(cfg.Fixture),
		SnapshotPath:            strings.TrimSpace(result.SnapshotPath),
		SignaturePath:           strings.TrimSpace(result.SignaturePath),
		BaselinePath:            strings.TrimSpace(result.BaselinePath),
		StructureSHA256:         strings.TrimSpace(result.CurrentSignature.StructureSHA256),
		PreviousStructureSHA256: strings.TrimSpace(result.PreviousBaselineHash),
		ByteSize:                result.CurrentSignature.ByteSize,
		ErrorMessage:            errorMessageText(runErr),
	}
	if hasDeepSeekPricingStructureSignature(result.CurrentSignature) {
		signatureCopy := result.CurrentSignature
		record.SignaturePayload = &signatureCopy
	}
	return record
}

func persistDeepSeekPricingSignatureAuditIfConfigured(cfg deepseekPricingSignatureGuardConfig, result deepseekPricingSignatureGuardResult, checkedAt time.Time, runErr error) error {
	return persistOfficialImportSignatureAuditIfConfigured(buildDeepSeekPricingSignatureAuditRecord(cfg, result, checkedAt, runErr))
}