#!/usr/bin/env bash
set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
PRECHECK_SCRIPT="$ROOT_DIR/scripts/ci/docs_portal_static_deploy_preflight.sh"
BUILD_DIR="$ROOT_DIR/packages/docs/build"
EVIDENCE_DIR="${DOCS_PORTAL_PUBLISH_EVIDENCE_DIR:-$ROOT_DIR/dist/docs-portal-cloudflare-publish}"
TRACK="${DOCS_PORTAL_PUBLICATION_TRACK:-internal}"
CREDS_FILE="${DOCS_PORTAL_CLOUDFLARE_CREDS_FILE:-}"
COMMIT_SHA="$(git -C "$ROOT_DIR" rev-parse HEAD)"
export DOCS_PORTAL_BUILD_SHA="${DOCS_PORTAL_BUILD_SHA:-$COMMIT_SHA}"
export DOCS_PORTAL_PUBLISHED_AT="${DOCS_PORTAL_PUBLISHED_AT:-$(date -u +%Y-%m-%dT%H:%M:%SZ)}"

if [[ -n "$CREDS_FILE" ]]; then
  if [[ ! -f "$CREDS_FILE" ]]; then
    echo "FAIL: DOCS_PORTAL_CLOUDFLARE_CREDS_FILE not found: $CREDS_FILE" >&2
    exit 2
  fi
  set -a
  # shellcheck disable=SC1090
  source "$CREDS_FILE"
  set +a
fi

export CLOUDFLARE_ACCOUNT_ID="${CLOUDFLARE_ACCOUNT_ID:-${AccountID:-}}"
export CLOUDFLARE_API_TOKEN="${CLOUDFLARE_API_TOKEN:-${APIToken:-}}"
HOSTNAME="${DOCS_PORTAL_HOSTNAME:-}"
PROJECT="${CLOUDFLARE_PAGES_PROJECT:-}"

WRANGLER_CMD=()
if command -v wrangler >/dev/null 2>&1; then
  WRANGLER_CMD=(wrangler)
else
  export HOME="${DOCS_PORTAL_WRANGLER_HOME:-/tmp/wrangler-home}"
  export npm_config_cache="${DOCS_PORTAL_NPM_CACHE:-/tmp/npm-cache}"
  mkdir -p "$HOME" "$npm_config_cache"
  WRANGLER_CMD=(npx -y wrangler)
fi

required_env() {
  local name="$1"
  if [[ -z "${!name:-}" ]]; then
    echo "FAIL: required environment variable missing: $name" >&2
    exit 2
  fi
}

case "$TRACK" in
  public|customer|partner|internal|ops|governance) ;;
  *)
    echo "FAIL: DOCS_PORTAL_PUBLICATION_TRACK must be one of public, customer, partner, internal, ops, governance" >&2
    exit 2
    ;;
esac

required_env DOCS_PORTAL_HOSTNAME
required_env CLOUDFLARE_ACCOUNT_ID
required_env CLOUDFLARE_PAGES_PROJECT
required_env CLOUDFLARE_API_TOKEN

mkdir -p "$EVIDENCE_DIR"

echo "==> docs portal deploy preflight"
bash "$PRECHECK_SCRIPT"

if [[ ! -s "$BUILD_DIR/index.html" ]]; then
  echo "FAIL: missing Docusaurus build output: $BUILD_DIR/index.html" >&2
  exit 1
fi

RAW_LOG="$EVIDENCE_DIR/wrangler.raw.log"
SANITIZED_LOG="$EVIDENCE_DIR/wrangler.sanitized.log"
SUMMARY_JSON="$EVIDENCE_DIR/summary.json"
SUMMARY_MD="$EVIDENCE_DIR/summary.md"

echo "==> publishing docs portal to Cloudflare Pages"
set +e
"${WRANGLER_CMD[@]}" pages deploy "$BUILD_DIR" \
  --project-name "$PROJECT" \
  --branch "$TRACK" \
  --commit-dirty=false \
  >"$RAW_LOG" 2>&1
WRANGLER_EXIT=$?
set -e

export WRANGLER_EXIT COMMIT_SHA
python3 - "$RAW_LOG" "$SANITIZED_LOG" "$SUMMARY_JSON" <<'PY'
import json
import os
import pathlib
import re
import sys

raw_path = pathlib.Path(sys.argv[1])
sanitized_path = pathlib.Path(sys.argv[2])
summary_path = pathlib.Path(sys.argv[3])

raw = raw_path.read_text(encoding="utf-8", errors="replace")
token = os.environ.get("CLOUDFLARE_API_TOKEN", "")
account_id = os.environ.get("CLOUDFLARE_ACCOUNT_ID", "")

sanitized = raw
for secret in [token, account_id]:
    if secret:
        sanitized = sanitized.replace(secret, "[REDACTED]")

deploy_url = None
deployment_id = None

url_match = re.search(r"(https://[A-Za-z0-9./:_-]+)", sanitized)
if url_match:
    deploy_url = url_match.group(1).rstrip(").,")

id_match = re.search(r"(?:deployment(?:\s+id)?|deploy(?:ed)?)[:= ]+([A-Za-z0-9_-]{8,})", sanitized, re.IGNORECASE)
if id_match:
    deployment_id = id_match.group(1)

sanitized_path.write_text(sanitized, encoding="utf-8")

payload = {
    "schema_version": "docs-portal-cloudflare-publish.v1",
    "result": "pass" if int(os.environ["WRANGLER_EXIT"]) == 0 else "fail",
    "publication_track": os.environ["DOCS_PORTAL_PUBLICATION_TRACK"],
    "hostname": os.environ["DOCS_PORTAL_HOSTNAME"],
    "cloudflare_pages_project": os.environ["CLOUDFLARE_PAGES_PROJECT"],
    "git_sha": os.environ["COMMIT_SHA"],
    "build_dir": "packages/docs/build",
    "wrangler_exit_code": int(os.environ["WRANGLER_EXIT"]),
    "deployment_url": deploy_url,
    "deployment_id": deployment_id,
    "sanitized_log": str(sanitized_path),
    "preflight_script": "scripts/ci/docs_portal_static_deploy_preflight.sh",
}
summary_path.write_text(json.dumps(payload, indent=2) + "\n", encoding="utf-8")
PY

cat >"$SUMMARY_MD" <<EOF
# Docs Portal Cloudflare Publish

- result: $([[ "$WRANGLER_EXIT" -eq 0 ]] && echo pass || echo fail)
- publication_track: ${TRACK}
- hostname: ${HOSTNAME}
- cloudflare_pages_project: ${PROJECT}
- git_sha: ${COMMIT_SHA}
- wrangler_exit_code: ${WRANGLER_EXIT}
- build_dir: packages/docs/build
- sanitized_log: ${SANITIZED_LOG}

This wrapper ran the static deploy preflight and then executed a Cloudflare
Pages publish attempt through \`wrangler\`. See \`summary.json\` and the
sanitized log for the durable result.
EOF

if [[ "$WRANGLER_EXIT" -ne 0 ]]; then
  echo "FAIL: wrangler pages deploy failed; see $SANITIZED_LOG" >&2
  exit "$WRANGLER_EXIT"
fi

echo "OK: docs portal published; evidence=$SUMMARY_JSON"