"""Provision non-secret provider auth markers into a smolmachines bottle."""

from __future__ import annotations

import os

from ....log import die
from .. import smolvm as _smolvm
from ..bottle_plan import SmolmachinesBottlePlan


_DEFAULT_GUEST_HOME = "/home/node"


def provision_provider_auth(plan: SmolmachinesBottlePlan, target: str) -> None:
    """Copy a dummy Codex auth marker when host credentials are
    forwarded through egress.

    The real host access token remains in the egress bundle env; this
    file only selects Codex's user/device auth code path.
    """
    if not plan.codex_auth_file:
        return
    guest_home = os.environ.get("BOT_BOTTLE_GUEST_HOME", _DEFAULT_GUEST_HOME)
    auth_dir = plan.guest_env.get("CODEX_HOME", f"{guest_home}/.codex")

    result = _smolvm.machine_exec(
        target,
        ["mkdir", "-p", auth_dir],
    )
    if result.returncode != 0:
        detail = (result.stderr or result.stdout).strip()
        if detail:
            detail = f": {detail}"
        die(f"codex host credentials: could not create {auth_dir}{detail}")
    result = _smolvm.machine_exec(target, ["chown", "node:node", auth_dir])
    if result.returncode != 0:
        detail = (result.stderr or result.stdout).strip()
        if detail:
            detail = f": {detail}"
        die(f"codex host credentials: could not chown {auth_dir}{detail}")
    result = _smolvm.machine_exec(target, ["chmod", "700", auth_dir])
    if result.returncode != 0:
        detail = (result.stderr or result.stdout).strip()
        if detail:
            detail = f": {detail}"
        die(f"codex host credentials: could not chmod {auth_dir}{detail}")
    result = _smolvm.machine_exec(
        target,
        [
            "find", auth_dir,
            "-maxdepth", "1",
            "-type", "f",
            "(",
            "-name", "*.sqlite",
            "-o", "-name", "*.sqlite-*",
            "-o", "-name", "*.codex-repair-*.bak",
            ")",
            "-delete",
        ],
    )
    if result.returncode != 0:
        detail = (result.stderr or result.stdout).strip()
        if detail:
            detail = f": {detail}"
        die(f"codex host credentials: could not reset runtime db files{detail}")

    auth_path = f"{auth_dir}/auth.json"
    _smolvm.machine_cp(str(plan.codex_auth_file), f"{target}:{auth_path}")
    _smolvm.machine_exec(target, ["chown", "node:node", auth_path])
    _smolvm.machine_exec(target, ["chmod", "600", auth_path])
    result = _smolvm.machine_exec(
        target,
        [
            "runuser", "-u", "node", "--",
            "env",
            f"HOME={guest_home}",
            f"CODEX_HOME={auth_dir}",
            "codex", "login", "status",
        ],
    )
    if result.returncode != 0:
        detail = (result.stderr or result.stdout).strip()
        if detail:
            detail = f": {detail}"
        die(
            "codex host credentials: dummy auth was copied into the "
            f"smolmachine, but Codex did not accept it{detail}"
        )