#!/usr/bin/env bash
# =============================================================================
# GIGARep GO — One script to rule them all
# Provisions OR verifies/fixes depending on state
# Usage: curl ... | sudo bash
# =============================================================================
echo ""
echo "════════════════════════════════════════════════════════"
echo "  🤖 GIGARep Fleet Provisioning"
echo "════════════════════════════════════════════════════════"
echo ""
read -p "  Enter GIGARep seat (e.g. 65, m-1, m-5): " SEAT_NUM
echo ""

if [[ -z "$SEAT_NUM" ]]; then
    echo "❌ No seat number entered. Exiting."
    exit 1
fi

# Support both regular seats (65) and management seats (m-1, m-5)
if [[ "$SEAT_NUM" == m-* ]] || [[ "$SEAT_NUM" == M-* ]]; then
    HOSTNAME="GIGARep-${SEAT_NUM}"
else
    HOSTNAME="gigarep-${SEAT_NUM}"
fi
echo ""
echo "  Machine: $HOSTNAME"
echo ""

# Detect architecture
ARCH=$(uname -m)
echo "  Arch: $ARCH"
echo ""

# Check if already provisioned
if command -v openclaw &>/dev/null && command -v tailscale &>/dev/null; then
    echo "  Detected existing install. Running VERIFY & FIX..."
    echo ""
    curl -sf https://gigarep-dev.taildaba93.ts.net/verify-and-fix.sh -o /tmp/verify-and-fix.sh \
      || curl -sf https://gigarep-dev.taildaba93.ts.net/verify-and-fix.sh -o /tmp/verify-and-fix.sh
    bash /tmp/verify-and-fix.sh
elif [[ "$ARCH" == "arm64" ]]; then
    echo "  Apple Silicon detected. Running ARM provision..."
    echo ""
    export PATH="/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin"

    # Homebrew
    if ! command -v brew &>/dev/null; then
        echo "Installing Homebrew..."
        sudo -u $SUDO_USER NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
        eval "$(/opt/homebrew/bin/brew shellenv)"
    fi

    # System setup
    sudo systemsetup -setremotelogin on 2>/dev/null
    sudo pmset -a sleep 0 displaysleep 0 disksleep 0 womp 1 autorestart 1 2>/dev/null
    sudo scutil --set HostName "$HOSTNAME"
    sudo scutil --set ComputerName "$HOSTNAME"
    sudo scutil --set LocalHostName "$HOSTNAME"

    # SSH key
    mkdir -p ~/.ssh
    grep -qF 'admin@Mac' ~/.ssh/authorized_keys 2>/dev/null || echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHXIPMdjiuReXH2DzH059UTWBIiQEiZHfLp/cKW7Xzyu admin@Mac.attlocal.net' >> ~/.ssh/authorized_keys
    chmod 700 ~/.ssh && chmod 600 ~/.ssh/authorized_keys

    # Node
    sudo -u $SUDO_USER /opt/homebrew/bin/brew install node 2>/dev/null

    # npm globals
    sudo -u $SUDO_USER /opt/homebrew/bin/npm install -g openclaw @anthropic-ai/claude-code gog 2>&1 | tail -5

    # Claude Code settings
    mkdir -p ~/.claude
    cat > ~/.claude/settings.json << 'CCEOF'
{
  "model": "claude-opus-4-6",
  "permissions": {
    "allow": ["Bash(*)", "Computer(*)", "Edit(*)", "Read(*)", "Write(*)", "WebFetch(*)", "WebSearch(*)"]
  },
  "preferences": {
    "thinking": "max"
  }
}
CCEOF
    echo 'ANTHROPIC_API_KEY=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' > ~/.claude/.env
    # DO NOT add to .zshrc — Claude Code reads from ~/.claude/.env directly and prompts if it's also in shell env

    # himalaya (ARM)
    curl -sL 'https://github.com/pimalaya/himalaya/releases/download/v1.2.0/himalaya.aarch64-darwin.tgz' -o /tmp/himalaya.tgz
    tar -xzf /tmp/himalaya.tgz -C /tmp && sudo install -m 755 /tmp/himalaya /usr/local/bin/himalaya 2>/dev/null

    # jq
    sudo -u $SUDO_USER /opt/homebrew/bin/brew install jq 2>/dev/null

    # Tailscale
    if [ ! -d '/Applications/Tailscale.app' ]; then
        echo 'Downloading Tailscale pkg...'
        curl -sL 'https://pkgs.tailscale.com/stable/Tailscale-1.96.5-macos.pkg' -o /tmp/tailscale.pkg
        sudo installer -pkg /tmp/tailscale.pkg -target / 2>&1 | tail -3
    fi
    open -a Tailscale 2>/dev/null
    sleep 5
    TS_BIN='/Applications/Tailscale.app/Contents/MacOS/Tailscale'
    if [ -f "$TS_BIN" ]; then
        TS_IP=$($TS_BIN ip -4 2>/dev/null || echo "")
        if [[ -z "$TS_IP" ]]; then
            $TS_BIN up --authkey "tskey-auth-kwmZ5Rbtp711CNTRL-vEUExpEv5xDLywoVerYFxDMyXUtRyN9H" --hostname "$HOSTNAME" --accept-routes --accept-dns 2>&1 || echo 'Tailscale may need system extension approval'
        else
            echo "Tailscale already connected ($TS_IP). Skipping."
        fi
    else
        echo '❌ Tailscale binary not found after install'
    fi

    # Chrome
    if [ ! -d '/Applications/Google Chrome.app' ]; then
        echo 'Installing Chrome...'
        curl -sL 'https://dl.google.com/chrome/mac/universal/stable/GGRO/googlechrome.dmg' -o /tmp/chrome.dmg
        hdiutil attach /tmp/chrome.dmg -nobrowse -mountpoint /tmp/chrome-mount 2>/dev/null
        cp -R '/tmp/chrome-mount/Google Chrome.app' /Applications/ 2>/dev/null
        hdiutil detach /tmp/chrome-mount -quiet 2>/dev/null
    fi
    ls -d '/Applications/Google Chrome.app' 2>/dev/null && echo '✅ Chrome' || echo '❌ Chrome'

    # BlueBubbles
    if [ ! -d '/Applications/BlueBubbles.app' ]; then
        echo 'Installing BlueBubbles...'
        curl -sL 'https://github.com/BlueBubblesApp/bluebubbles-server/releases/download/v1.9.9/BlueBubbles-1.9.9.dmg' -o /tmp/bb.dmg
        hdiutil attach /tmp/bb.dmg -nobrowse -mountpoint /tmp/bb-mount 2>/dev/null
        cp -R '/tmp/bb-mount/BlueBubbles.app' /Applications/ 2>/dev/null
        hdiutil detach /tmp/bb-mount -quiet 2>/dev/null
    fi
    ls -d '/Applications/BlueBubbles.app' 2>/dev/null && echo '✅ BlueBubbles' || echo '❌ BlueBubbles'

    # RealVNC
    if [ ! -f /Library/vnc/vncserver ]; then
        echo 'Installing RealVNC...'
        curl -sL 'https://downloads.realvnc.com/download/file/vnc.files/VNC-Server-7.15.0-MacOSX-universal.pkg' -o /tmp/vnc.pkg
        sudo installer -pkg /tmp/vnc.pkg -target / 2>&1 | tail -3
    fi
    sudo mkdir -p /etc/vnc/config.d /etc/vnc/service
    sudo touch /etc/vnc/service/on
    sudo chown -R root:wheel /Library/vnc /etc/vnc 2>/dev/null
    sudo launchctl disable system/com.apple.screensharing 2>/dev/null
    sudo launchctl bootout system/com.apple.screensharing 2>/dev/null
    sudo launchctl load /Library/LaunchDaemons/com.realvnc.vncserver.plist 2>/dev/null

    # Mosyle
    if profiles status -type enrollment 2>/dev/null | grep -q 'MDM enrollment: Yes'; then
        echo 'Mosyle already enrolled.'
    else
        open 'https://join.mosyle.com/?account=gigagoods' 2>/dev/null
        echo 'Mosyle enrollment page opened.'
    fi

    echo ""
    echo "✅ Apple Silicon provision complete for $HOSTNAME"

    # Run verification checklist
    echo "  Running verification checklist..."
    curl -sf https://gigarep-dev.taildaba93.ts.net/verify-and-fix.sh -o /tmp/verify-and-fix.sh
    export ANTHROPIC_KEY
    bash /tmp/verify-and-fix.sh
    echo "  Manual: sign in to RealVNC + grant privacy permissions"
else
    echo "  Intel detected. Running FULL PROVISION..."
    echo ""
    curl -sf https://gigarep-dev.taildaba93.ts.net/gigarep-provision-v3.sh -o /tmp/provision.sh \
      || curl -sf https://gigarep-dev.taildaba93.ts.net/gigarep-provision-v3.sh -o /tmp/provision.sh
    bash /tmp/provision.sh "$HOSTNAME"
fi