package cli

import (
	"fmt"
	"log/slog"
	"os"
	"path/filepath"
	"strings"

	"filippo.io/age"
	"git.eeqj.de/sneak/secret/internal/secret"
	"git.eeqj.de/sneak/secret/internal/vault"
	"git.eeqj.de/sneak/secret/pkg/agehd"
	"github.com/spf13/afero"
	"github.com/spf13/cobra"
	"github.com/tyler-smith/go-bip39"
)

// NewInitCmd creates the init command
func NewInitCmd() *cobra.Command {
	return &cobra.Command{
		Use:   "init",
		Short: "Initialize the secrets manager",
		Long:  `Create the necessary directory structure for storing secrets and generate encryption keys.`,
		RunE:  RunInit,
	}
}

// RunInit is the exported function that handles the init command
func RunInit(cmd *cobra.Command, args []string) error {
	cli := NewCLIInstance()
	return cli.Init(cmd)
}

// Init initializes the secret manager
func (cli *Instance) Init(cmd *cobra.Command) error {
	secret.Debug("Starting secret manager initialization")

	// Create state directory
	stateDir := cli.GetStateDir()
	secret.DebugWith("Creating state directory", slog.String("path", stateDir))

	if err := cli.fs.MkdirAll(stateDir, secret.DirPerms); err != nil {
		secret.Debug("Failed to create state directory", "error", err)
		return fmt.Errorf("failed to create state directory: %w", err)
	}

	if cmd != nil {
		cmd.Printf("Initialized secrets manager at: %s\n", stateDir)
	}

	// Prompt for mnemonic
	var mnemonicStr string

	if envMnemonic := os.Getenv(secret.EnvMnemonic); envMnemonic != "" {
		secret.Debug("Using mnemonic from environment variable")
		mnemonicStr = envMnemonic
	} else {
		secret.Debug("Prompting user for mnemonic phrase")
		// Read mnemonic from stdin using shared line reader
		var err error
		mnemonicStr, err = readLineFromStdin("Enter your BIP39 mnemonic phrase: ")
		if err != nil {
			secret.Debug("Failed to read mnemonic from stdin", "error", err)
			return fmt.Errorf("failed to read mnemonic: %w", err)
		}
	}

	if mnemonicStr == "" {
		secret.Debug("Empty mnemonic provided")
		return fmt.Errorf("mnemonic cannot be empty")
	}

	// Validate the mnemonic using BIP39
	secret.DebugWith("Validating BIP39 mnemonic", slog.Int("word_count", len(strings.Fields(mnemonicStr))))
	if !bip39.IsMnemonicValid(mnemonicStr) {
		secret.Debug("Invalid BIP39 mnemonic provided")
		return fmt.Errorf("invalid BIP39 mnemonic phrase\nRun 'secret generate mnemonic' to create a valid mnemonic")
	}

	// Set mnemonic in environment for CreateVault to use
	originalMnemonic := os.Getenv(secret.EnvMnemonic)
	os.Setenv(secret.EnvMnemonic, mnemonicStr)
	defer func() {
		if originalMnemonic != "" {
			os.Setenv(secret.EnvMnemonic, originalMnemonic)
		} else {
			os.Unsetenv(secret.EnvMnemonic)
		}
	}()

	// Create the default vault - it will handle key derivation internally
	secret.Debug("Creating default vault")
	vlt, err := vault.CreateVault(cli.fs, cli.stateDir, "default")
	if err != nil {
		secret.Debug("Failed to create default vault", "error", err)
		return fmt.Errorf("failed to create default vault: %w", err)
	}

	// Get the vault metadata to retrieve the derivation index
	vaultDir := filepath.Join(stateDir, "vaults.d", "default")
	metadata, err := vault.LoadVaultMetadata(cli.fs, vaultDir)
	if err != nil {
		secret.Debug("Failed to load vault metadata", "error", err)
		return fmt.Errorf("failed to load vault metadata: %w", err)
	}

	// Derive the long-term key using the same index that CreateVault used
	ltIdentity, err := agehd.DeriveIdentity(mnemonicStr, metadata.DerivationIndex)
	if err != nil {
		secret.Debug("Failed to derive long-term key", "error", err)
		return fmt.Errorf("failed to derive long-term key from mnemonic: %w", err)
	}
	ltPubKey := ltIdentity.Recipient().String()

	// Unlock the vault with the derived long-term key
	vlt.Unlock(ltIdentity)

	// Prompt for passphrase for unlocker
	var passphraseStr string
	if envPassphrase := os.Getenv(secret.EnvUnlockPassphrase); envPassphrase != "" {
		secret.Debug("Using unlock passphrase from environment variable")
		passphraseStr = envPassphrase
	} else {
		secret.Debug("Prompting user for unlock passphrase")
		// Use secure passphrase input with confirmation
		passphraseStr, err = readSecurePassphrase("Enter passphrase for unlocker: ")
		if err != nil {
			secret.Debug("Failed to read unlock passphrase", "error", err)
			return fmt.Errorf("failed to read passphrase: %w", err)
		}
	}

	// Create passphrase-protected unlocker
	secret.Debug("Creating passphrase-protected unlocker")
	passphraseUnlocker, err := vlt.CreatePassphraseUnlocker(passphraseStr)
	if err != nil {
		secret.Debug("Failed to create unlocker", "error", err)
		return fmt.Errorf("failed to create unlocker: %w", err)
	}

	// Encrypt long-term private key to the unlocker
	unlockerDir := passphraseUnlocker.GetDirectory()

	// Read unlocker public key
	unlockerPubKeyData, err := afero.ReadFile(cli.fs, filepath.Join(unlockerDir, "pub.age"))
	if err != nil {
		return fmt.Errorf("failed to read unlocker public key: %w", err)
	}

	unlockerRecipient, err := age.ParseX25519Recipient(string(unlockerPubKeyData))
	if err != nil {
		return fmt.Errorf("failed to parse unlocker public key: %w", err)
	}

	// Encrypt long-term private key to unlocker
	ltPrivKeyData := []byte(ltIdentity.String())
	encryptedLtPrivKey, err := secret.EncryptToRecipient(ltPrivKeyData, unlockerRecipient)
	if err != nil {
		return fmt.Errorf("failed to encrypt long-term private key: %w", err)
	}

	// Write encrypted long-term private key
	if err := afero.WriteFile(cli.fs, filepath.Join(unlockerDir, "longterm.age"), encryptedLtPrivKey, secret.FilePerms); err != nil {
		return fmt.Errorf("failed to write encrypted long-term private key: %w", err)
	}

	if cmd != nil {
		cmd.Printf("\nDefault vault created and configured\n")
		cmd.Printf("Long-term public key: %s\n", ltPubKey)
		cmd.Printf("Unlocker ID: %s\n", passphraseUnlocker.GetID())
		cmd.Println("\nYour secret manager is ready to use!")
		cmd.Println("Note: When using SB_SECRET_MNEMONIC environment variable,")
		cmd.Println("unlockers are not required for secret operations.")
	}

	return nil
}

// readSecurePassphrase reads a passphrase securely from the terminal without echoing
// This version adds confirmation (read twice) for creating new unlockers
func readSecurePassphrase(prompt string) (string, error) {
	// Get the first passphrase
	passphrase1, err := secret.ReadPassphrase(prompt)
	if err != nil {
		return "", err
	}

	// Read confirmation passphrase
	passphrase2, err := secret.ReadPassphrase("Confirm passphrase: ")
	if err != nil {
		return "", fmt.Errorf("failed to read passphrase confirmation: %w", err)
	}

	// Compare passphrases
	if passphrase1 != passphrase2 {
		return "", fmt.Errorf("passphrases do not match")
	}

	return passphrase1, nil
}