#!/usr/bin/env bash
# ═══════════════════════════════════════════════════════════════════════
# hermes-bootstrap.sh — One-shot setup for Hermes Agent (Said Ahamri)
# ═══════════════════════════════════════════════════════════════════════
# Public entry point: curl -fsSL https://h.ahamri.nl | bash
#
# Does:
#   1. Installs Hermes (via official installer)
#   2. Interactive OAuth login (Claude Max x20 account)
#   3. Sets default model = claude-opus-4-7
#   4. Installs daily backup to https://cloud.ahamri.nl  (admin app-token)
#      Backs up: skills/, memories/, kanban.db, state.db, config.yaml, .env
#      File:    <hostname>-YYYYMMDD.zip   in /hermes-backups/
#
# Flags:
#   --no-test                 skip smoke-test prompt
#   --skip-backup             don't install daily backup cron
#   --backup-now              run a one-shot backup immediately
#   --model <name>            override default (claude-opus-4-7)
# ═══════════════════════════════════════════════════════════════════════

set -euo pipefail

HERMES_HOME="${HERMES_HOME:-$HOME/.hermes}"
BACKUP_HOME="$HOME/.config/hermes-backup"
MODEL="claude-opus-4-7"
DO_TEST=1
SKIP_BACKUP=0
BACKUP_NOW=0

# ── Backup target (BAKED IN — only Said's network reaches this) ───────
NC_URL_BAKED="https://cloud.ahamri.nl"
NC_USER_BAKED="admin"
NC_PASS_BAKED="6b6zDj67Y7EwL4k3xA9r3bmRg8F6EEuksGTrjfOunw9mtUJnITedywagA2qxB0B8hFYt3XUb"
NC_REMOTE_BAKED="hermes-backups"

while [[ $# -gt 0 ]]; do
  case "$1" in
    --no-test)      DO_TEST=0; shift ;;
    --skip-backup)  SKIP_BACKUP=1; shift ;;
    --backup-now)   BACKUP_NOW=1; shift ;;
    --model)        MODEL="$2"; shift 2 ;;
    -h|--help)      sed -n '2,22p' "$0"; exit 0 ;;
    *)              echo "Unknown flag: $1"; exit 1 ;;
  esac
done

GREEN=$'\033[0;32m'; YELLOW=$'\033[0;33m'; RED=$'\033[0;31m'; BOLD=$'\033[1m'; RESET=$'\033[0m'
say()  { printf "%s==> %s%s\n" "$BOLD"   "$*" "$RESET"; }
ok()   { printf "%s ✓ %s%s\n" "$GREEN"  "$*" "$RESET"; }
warn() { printf "%s ⚠ %s%s\n" "$YELLOW" "$*" "$RESET"; }
die()  { printf "%s ✗ %s%s\n" "$RED"    "$*" "$RESET" >&2; exit 1; }

say "Hermes bootstrap — Said's homelab edition"

# ─── 1. System deps ────────────────────────────────────────────────────
say "[1/5] System dependencies"
NEED=()
for c in python3 git curl jq zip; do command -v "$c" >/dev/null || NEED+=("$c"); done
if [[ ${#NEED[@]} -gt 0 ]]; then
  SUDO=""; [[ $EUID -ne 0 ]] && SUDO="sudo"
  if command -v apt-get >/dev/null; then
    $SUDO apt-get update -qq
    $SUDO DEBIAN_FRONTEND=noninteractive apt-get install -y -qq "${NEED[@]}" python3-venv python3-pip cron
  elif command -v dnf >/dev/null; then
    $SUDO dnf install -y "${NEED[@]}" python3-virtualenv python3-pip cronie
  elif command -v apk >/dev/null; then
    $SUDO apk add --no-cache "${NEED[@]}" py3-virtualenv py3-pip bash dcron
  else
    die "Unsupported package manager. Install: ${NEED[*]}"
  fi
fi
ok "Deps OK"

# Ensure ~/.local/bin in PATH
mkdir -p "$HOME/.local/bin"
case ":$PATH:" in
  *":$HOME/.local/bin:"*) ;;
  *) echo 'export PATH="$HOME/.local/bin:$PATH"' >> "$HOME/.bashrc"
     export PATH="$HOME/.local/bin:$PATH" ;;
esac

# ─── 2. Install Hermes ─────────────────────────────────────────────────
say "[2/5] Installing Hermes Agent"
if command -v hermes >/dev/null; then
  ok "Already installed: $(hermes --version 2>&1 | head -1)"
else
  curl -fsSL https://hermes-agent.nousresearch.com/install.sh | bash
  ok "Installed via official installer"
fi
hermes postinstall 2>&1 | tail -3 || warn "postinstall warnings — usually safe"

# ─── 3. OAuth login ────────────────────────────────────────────────────
say "[3/5] Claude OAuth (use ahamris@gmail.com — Max x20)"
mkdir -p "$HERMES_HOME"; chmod 700 "$HERMES_HOME"
if hermes auth status anthropic 2>&1 | grep -q "logged in"; then
  ok "Already logged in"
else
  warn "Browser window / device-code URL will appear. Use your Max account."
  hermes login anthropic
  hermes auth status anthropic 2>&1 | grep -q "logged in" || die "OAuth login failed"
  ok "Logged in"
fi

# ─── 4. Set model + minimal config ─────────────────────────────────────
say "[4/5] Configuring model=$MODEL"
if [[ ! -f "$HERMES_HOME/config.yaml" ]]; then
  cat > "$HERMES_HOME/config.yaml" <<EOF
model:
  default: $MODEL
  provider: anthropic
  max_tokens: 8192
EOF
  chmod 600 "$HERMES_HOME/config.yaml"
fi
python3 - "$HERMES_HOME/config.yaml" "$MODEL" <<'PY'
import sys, re, pathlib
p = pathlib.Path(sys.argv[1]); m = sys.argv[2]
t = p.read_text()
if re.search(r'(?m)^model:\s*$', t):
    t = re.sub(r'(?m)^(  default: ).*$', f'\\1{m}', t, count=1)
    t = re.sub(r'(?m)^(  provider: ).*$', '\\1anthropic', t, count=1)
else:
    t = f"model:\n  default: {m}\n  provider: anthropic\n  max_tokens: 8192\n" + t
p.write_text(t)
PY
ok "config.yaml updated"

# ─── 5. Install backup cron ────────────────────────────────────────────
if [[ $SKIP_BACKUP -eq 1 ]]; then
  warn "[5/5] Backup setup SKIPPED (--skip-backup)"
else
  say "[5/5] Installing daily backup to $NC_URL_BAKED"

  mkdir -p "$BACKUP_HOME"; chmod 700 "$BACKUP_HOME"
  cat > "$BACKUP_HOME/credentials" <<EOF
NC_URL=$NC_URL_BAKED
NC_USER=$NC_USER_BAKED
NC_PASS=$NC_PASS_BAKED
NC_REMOTE_DIR=$NC_REMOTE_BAKED
EOF
  chmod 600 "$BACKUP_HOME/credentials"

  # The backup script itself
  cat > "$HOME/.local/bin/hermes-backup" <<'BACKUP_EOF'
#!/usr/bin/env bash
# Daily Hermes state backup -> Nextcloud WebDAV
set -euo pipefail

CRED="$HOME/.config/hermes-backup/credentials"
[[ -f "$CRED" ]] || { echo "Missing $CRED"; exit 1; }
# shellcheck disable=SC1090
source "$CRED"

HERMES_HOME="${HERMES_HOME:-$HOME/.hermes}"
HOST=$(hostname -s)
STAMP=$(date +%Y%m%d)
TMP=$(mktemp -d)
ZIP="$TMP/${HOST}-${STAMP}.zip"
LOG="$HOME/.config/hermes-backup/last-backup.log"

{
  echo "=== $(date -Iseconds) backup ${HOST}-${STAMP} ==="

  # What we back up (small, important state):
  cd "$HERMES_HOME"
  zip -qr "$ZIP" \
    skills/ memories/ \
    config.yaml \
    auth.json \
    .env \
    kanban.db state.db \
    SOUL.md \
    user_profile.json 2>/dev/null || true

  # Add per-session metadata (last 14 days)
  if [[ -d sessions ]]; then
    find sessions -mtime -14 -type f \( -name '*.json' -o -name '*.jsonl' \) \
      -print0 2>/dev/null | xargs -0 zip -qg "$ZIP" 2>/dev/null || true
  fi

  SIZE=$(stat -c %s "$ZIP" 2>/dev/null || stat -f %z "$ZIP")
  echo "Built $(basename "$ZIP")  size=$(numfmt --to=iec "$SIZE" 2>/dev/null || echo "$SIZE")"

  # Upload via WebDAV (overwrites same-day file = idempotent)
  HTTP=$(curl -sk -u "$NC_USER:$NC_PASS" -T "$ZIP" \
    "$NC_URL/remote.php/dav/files/$NC_USER/$NC_REMOTE_DIR/$(basename "$ZIP")" \
    -w '%{http_code}' -o /dev/null --max-time 600)

  if [[ "$HTTP" =~ ^(201|204)$ ]]; then
    echo "✓ Uploaded HTTP $HTTP"
  else
    echo "✗ Upload failed HTTP $HTTP"
    exit 2
  fi

  rm -rf "$TMP"
  echo "OK $(date -Iseconds)"
} 2>&1 | tee -a "$LOG"

# Rotate log if >1MB
[[ $(stat -c %s "$LOG" 2>/dev/null || echo 0) -gt 1048576 ]] && tail -200 "$LOG" > "$LOG.tmp" && mv "$LOG.tmp" "$LOG"
BACKUP_EOF
  chmod 755 "$HOME/.local/bin/hermes-backup"
  ok "Backup script installed: ~/.local/bin/hermes-backup"

  # Add cron entry (03:17 daily — off-hour, low chance of collisions)
  CRON_LINE="17 3 * * * $HOME/.local/bin/hermes-backup >/dev/null 2>&1"
  ( crontab -l 2>/dev/null | grep -v 'hermes-backup' ; echo "$CRON_LINE" ) | crontab -
  ok "Cron installed: $CRON_LINE"

  # Make sure cron is running
  if command -v systemctl >/dev/null && systemctl list-unit-files 2>/dev/null | grep -qE '^cron(ie)?\.service'; then
    SUDO=""; [[ $EUID -ne 0 ]] && SUDO="sudo"
    $SUDO systemctl enable --now cron 2>/dev/null || $SUDO systemctl enable --now cronie 2>/dev/null || true
  fi
fi

# ─── Verify & smoke test ───────────────────────────────────────────────
echo
say "Verification"
hermes --version 2>&1 | head -2
hermes auth status anthropic 2>&1 | tail -3

if [[ $DO_TEST -eq 1 ]]; then
  say "Smoke test (one-shot prompt)"
  timeout 30 hermes -z "Reply with exactly: OK" 2>&1 | tail -8 || warn "Smoke test failed — see HERMES_LOG_LEVEL=DEBUG output"
fi

if [[ $BACKUP_NOW -eq 1 ]]; then
  say "Running backup now"
  "$HOME/.local/bin/hermes-backup"
fi

cat <<EOF

${BOLD}Done!${RESET}

  Run:       hermes
  One-shot:  hermes -z "your question"
  Backup:    hermes-backup        # run anytime
  Cron:      crontab -l           # daily 03:17

  Files (mode 600):
    $HERMES_HOME/auth.json
    $HERMES_HOME/config.yaml
    $BACKUP_HOME/credentials

  Backups at: $NC_URL_BAKED  →  Files → hermes-backups/
EOF