"""bincio-auth CLI entry point."""

from __future__ import annotations

import secrets
from pathlib import Path

import click
from rich.console import Console
from rich.panel import Panel

console = Console()


@click.group()
def main() -> None:
    """bincio-auth — central authentication service."""


@main.command("init")
@click.option("--data-dir", required=True, type=click.Path(), help="Data directory to initialise")
@click.option("--handle", required=True, help="Admin user handle")
@click.option("--password", required=True, hide_input=True, confirmation_prompt=True)
@click.option("--display-name", default="", help="Admin display name (defaults to handle)")
@click.option("--max-users", default=0, type=int, help="Max users (0 = unlimited)")
def init_cmd(data_dir: str, handle: str, password: str, display_name: str, max_users: int) -> None:
    """Bootstrap a fresh bincio-auth instance."""
    from bincio.auth.db import create_invite, create_user, get_user, open_db, set_setting

    dd = Path(data_dir).expanduser().resolve()
    dd.mkdir(parents=True, exist_ok=True)

    console.print(f"[bold]Initialising bincio-auth[/bold] at [cyan]{dd}[/cyan]")

    db = open_db(dd)
    console.print("  [green]✓[/green] instance.db ready")

    existing = get_user(db, handle)
    if existing:
        console.print(f"  [yellow]·[/yellow] user '{handle}' already exists — skipping")
    else:
        create_user(db, handle, display_name or handle, password, is_admin=True)
        console.print(f"  [green]✓[/green] admin '{handle}' created")

    if max_users > 0:
        set_setting(db, "max_users", str(max_users))
        console.print(f"  [green]✓[/green] user limit set to {max_users}")

    # Generate JWT secret if not already stored
    from bincio.auth.db import get_setting
    if not get_setting(db, "jwt_secret"):
        jwt_secret = secrets.token_hex(32)
        set_setting(db, "jwt_secret", jwt_secret)
        console.print("  [green]✓[/green] JWT secret generated and stored")
    else:
        console.print("  [yellow]·[/yellow] JWT secret already set — skipping")

    code = create_invite(db, handle)

    console.print()
    console.print(Panel(
        f"[bold green]Instance ready![/bold green]\n\n"
        f"Admin:    [cyan]{handle}[/cyan]\n"
        f"Data dir: [cyan]{dd}[/cyan]\n\n"
        f"First invite code:\n\n"
        f"  [bold yellow]{code}[/bold yellow]\n\n"
        f"Share this with your first user:\n"
        f"  /register/?code={code}",
        title="bincio-auth init",
        border_style="green",
    ))


@main.command("serve")
@click.option("--data-dir", required=True, type=click.Path(), help="Data directory (contains instance.db)")
@click.option("--host", default="127.0.0.1")
@click.option("--port", default=4040, type=int)
@click.option("--jwt-secret", default=None, envvar="BINCIO_AUTH_JWT_SECRET",
              help="HS256 signing secret. Defaults to the value stored in the DB during `init`.")
def serve_cmd(data_dir: str, host: str, port: int, jwt_secret: str | None) -> None:
    """Start the bincio-auth API server."""
    import uvicorn

    import bincio.auth.server as srv
    from bincio.auth import deps
    from bincio.auth.db import get_setting, open_db

    dd = Path(data_dir).expanduser().resolve()
    if not (dd / "instance.db").exists():
        raise click.UsageError(
            f"No instance.db in {dd}. Run `bincio-auth init --data-dir {dd}` first."
        )

    db = open_db(dd)
    secret = jwt_secret or get_setting(db, "jwt_secret") or ""
    db.close()

    if not secret:
        raise click.UsageError(
            "No JWT secret configured. Pass --jwt-secret or run `bincio-auth init` first."
        )

    deps.data_dir = dd
    deps.jwt_secret = secret

    console.print("[bold]bincio-auth[/bold]")
    console.print(f"  Data: [cyan]{dd}[/cyan]")
    console.print(f"  URL:  [cyan]http://{host}:{port}[/cyan]")
    console.print()

    uvicorn.run(srv.app, host=host, port=port, log_level="info")