#!/usr/bin/env -S deno run -A

import {
    args,
    exit,
    getEnv,
    getSecretValue,
    log,
    stdinToArrayBuffer,
} from "https://script.hatter.ink/@54/deno-commons-mod.ts";
import {parseArgs} from "jsr:@std/cli/parse-args";

// specification: https://docs.openclaw.ai/gateway/secrets

// input:
// { "protocolVersion": 1, "provider": "vault", "ids": ["providers/openai/apiKey"] }

// output:
// { "protocolVersion": 1, "values": { "providers/openai/apiKey": "<openai-api-key>" } }
// or with error:
// {
//   "protocolVersion": 1,
//   "values": {},
//   "errors": { "providers/openai/apiKey": { "message": "not found" } }
// }

interface OpenClawSecretInput {
    protocolVersion: number;
    provider: string;
    ids: string[];
}

interface OpenClawSecretOutput {
    protocolVersion: number;
    values: Record<String, String>;
    errors: Record<string, Record<string, string>>;
}

interface GetSecretResponse {
    status: number;
    message: string;
    data: {
        created: number;
        modified: number;
        name: string;
        creatorKeyId: string;
        grantedKeyIds: string[];
        comment: string;
        value: string;
        version: number;
    };
}

const flags = parseArgs(args(), {
    boolean: ["help", "direct-output"],
    collect: ["id"],
    alias: {
        d: "direct-output",
    },
});

if (flags.help) {
    console.log(
        "export RUN_ENV=ALIBABA_CLOUD or `echo ALIBABA_CLOUD > ~/.config/envs/RUN_ENV` runs on Alibaba Cloud",
    );
    console.log(
        "openclaw-secret.ts --id ID1 [--id ID2] [--direct-output|-d]",
    );
    console.log(
        'echo \'{"protocolVersion": 1, "provider": "vault", "ids": ["providers/openai/apiKey"]}\' | openclaw-secret.ts',
    );
    exit(0);
}

// RUN_ENV values ALIBABA_CLOUD, LOCAL
const runEnv = getEnv("RUN_ENV");

log.debug("runEnv", runEnv);

let openClawInput;
if (flags.id) {
    openClawInput = {
        protocolVersion: 1,
        provider: "n/a",
        ids: flags.id,
    } as OpenClawSecretInput;
} else {
    const input = new TextDecoder().decode(await stdinToArrayBuffer());
    openClawInput = JSON.parse(input) as OpenClawSecretInput;
}

const values = {} as Record<string, string>;
const errors = {} as Record<string, Record<string, string>>;

if (openClawInput.protocolVersion !== 1) {
    console.error(
        `Invalid OpenClaw protocol version: ${openClawInput.protocolVersion}`,
    );
    exit(1);
}

if (flags["direct-output"]) {
    if (openClawInput.ids.length != 1) {
        console.error(
            `--direct-output requires only one id`,
            openClawInput.ids,
        );
        exit(1);
    }
    console.log(await getSecretValue(openClawInput.ids[0], runEnv));
    exit(0);
}

for (const id of openClawInput.ids) {
    try {
        values[id] = await getSecretValue(id, runEnv);
    } catch (e) {
        errors[id] = { message: e.message };
    }
}

const output = {
    protocolVersion: 1,
    values,
    errors,
} as OpenClawSecretOutput;

console.log(JSON.stringify(output, null, 2));