import { execFileSync } from "node:child_process";
import {
  ALL_INTERFACES_BIND_HOST,
  LOOPBACK_BIND_HOST,
  inferBindModeFromHost,
  isAllInterfacesHost,
  isLoopbackHost,
  type BindMode,
  type DeploymentExposure,
  type DeploymentMode,
} from "@penclipai/shared";
import type { AuthConfig, ServerConfig } from "./schema.js";

const TAILSCALE_DETECT_TIMEOUT_MS = 3000;

type BaseServerInput = {
  port: number;
  allowedHostnames: string[];
  serveUi: boolean;
};

export function inferConfiguredBind(server?: Partial<ServerConfig>): BindMode {
  if (server?.bind) return server.bind;
  return inferBindModeFromHost(server?.customBindHost ?? server?.host);
}

export function detectTailnetBindHost(): string | undefined {
  const explicit = process.env.PAPERCLIP_TAILNET_BIND_HOST?.trim();
  if (explicit) return explicit;

  try {
    const stdout = execFileSync("tailscale", ["ip", "-4"], {
      encoding: "utf8",
      stdio: ["ignore", "pipe", "ignore"],
      timeout: TAILSCALE_DETECT_TIMEOUT_MS,
    });
    return stdout
      .split(/\r?\n/)
      .map((line) => line.trim())
      .find(Boolean);
  } catch {
    return undefined;
  }
}

export function buildPresetServerConfig(
  bind: Exclude<BindMode, "custom">,
  input: BaseServerInput,
): { server: ServerConfig; auth: AuthConfig } {
  const host =
    bind === "loopback"
      ? LOOPBACK_BIND_HOST
      : bind === "tailnet"
        ? (detectTailnetBindHost() ?? LOOPBACK_BIND_HOST)
        : ALL_INTERFACES_BIND_HOST;

  return {
    server: {
      deploymentMode: bind === "loopback" ? "local_trusted" : "authenticated",
      exposure: "private",
      bind,
      customBindHost: undefined,
      host,
      port: input.port,
      allowedHostnames: input.allowedHostnames,
      serveUi: input.serveUi,
    },
    auth: {
      baseUrlMode: "auto",
      disableSignUp: false,
    },
  };
}

export function buildCustomServerConfig(input: BaseServerInput & {
  deploymentMode: DeploymentMode;
  exposure: DeploymentExposure;
  host: string;
  publicBaseUrl?: string;
}): { server: ServerConfig; auth: AuthConfig } {
  const normalizedHost = input.host.trim();
  const bind = isLoopbackHost(normalizedHost)
    ? "loopback"
    : isAllInterfacesHost(normalizedHost)
      ? "lan"
      : "custom";

  return {
    server: {
      deploymentMode: input.deploymentMode,
      exposure: input.deploymentMode === "local_trusted" ? "private" : input.exposure,
      bind,
      customBindHost: bind === "custom" ? normalizedHost : undefined,
      host: normalizedHost,
      port: input.port,
      allowedHostnames: input.allowedHostnames,
      serveUi: input.serveUi,
    },
    auth:
      input.deploymentMode === "authenticated" && input.exposure === "public"
        ? {
          baseUrlMode: "explicit",
          disableSignUp: false,
          publicBaseUrl: input.publicBaseUrl,
        }
        : {
          baseUrlMode: "auto",
          disableSignUp: false,
        },
  };
}

export function resolveQuickstartServerConfig(input: {
  bind?: BindMode | null;
  deploymentMode?: DeploymentMode | null;
  exposure?: DeploymentExposure | null;
  host?: string | null;
  port: number;
  allowedHostnames: string[];
  serveUi: boolean;
  publicBaseUrl?: string;
}): { server: ServerConfig; auth: AuthConfig } {
  const trimmedHost = input.host?.trim();
  const explicitBind = input.bind ?? null;

  if (explicitBind === "loopback" || explicitBind === "lan" || explicitBind === "tailnet") {
    return buildPresetServerConfig(explicitBind, {
      port: input.port,
      allowedHostnames: input.allowedHostnames,
      serveUi: input.serveUi,
    });
  }

  if (explicitBind === "custom") {
    return buildCustomServerConfig({
      deploymentMode: input.deploymentMode ?? "authenticated",
      exposure: input.exposure ?? "private",
      host: trimmedHost || LOOPBACK_BIND_HOST,
      port: input.port,
      allowedHostnames: input.allowedHostnames,
      serveUi: input.serveUi,
      publicBaseUrl: input.publicBaseUrl,
    });
  }

  if (trimmedHost) {
    return buildCustomServerConfig({
      deploymentMode: input.deploymentMode ?? (isLoopbackHost(trimmedHost) ? "local_trusted" : "authenticated"),
      exposure: input.exposure ?? "private",
      host: trimmedHost,
      port: input.port,
      allowedHostnames: input.allowedHostnames,
      serveUi: input.serveUi,
      publicBaseUrl: input.publicBaseUrl,
    });
  }

  if (input.deploymentMode === "authenticated") {
    if (input.exposure === "public") {
      return buildCustomServerConfig({
        deploymentMode: "authenticated",
        exposure: "public",
        host: ALL_INTERFACES_BIND_HOST,
        port: input.port,
        allowedHostnames: input.allowedHostnames,
        serveUi: input.serveUi,
        publicBaseUrl: input.publicBaseUrl,
      });
    }

    return buildPresetServerConfig("lan", {
      port: input.port,
      allowedHostnames: input.allowedHostnames,
      serveUi: input.serveUi,
    });
  }

  return buildPresetServerConfig("loopback", {
    port: input.port,
    allowedHostnames: input.allowedHostnames,
    serveUi: input.serveUi,
  });
}