#!/usr/bin/env bash
# Phase 5c end-to-end approval flow:
#   manager edits proposed -> commits -> request_apply_commit
#   user approves on host -> hive-c0re applies into authoritative repo -> rebuild
#   sub-agent container has the new package
#
# Runs as root on a host with services.hive-c0re enabled and the hm1nd
# container declared. Idempotent — wipes any prior alice state.

set -euo pipefail

AGENT=alice
PKG=htop

cleanup() {
    echo "=== cleanup ==="
    sudo hive-c0re kill "$AGENT" 2>/dev/null || true
    sudo nixos-container destroy "h-${AGENT}" 2>/dev/null || true
    sudo rm -rf \
        "/var/lib/hyperhive/agents/${AGENT}" \
        "/var/lib/hyperhive/applied/${AGENT}"
}

echo "=== precheck: hm1nd container is up ==="
if ! sudo machinectl status hm1nd >/dev/null 2>&1; then
    echo "  hm1nd is not running. Starting via systemd..."
    sudo systemctl start "container@hm1nd.service" || {
        echo "FAIL: could not start container@hm1nd.service."
        echo "  Did you 'nixos-rebuild switch' after declaring containers.hm1nd in your host config?"
        exit 1
    }
    # wait briefly for it to come up
    for i in 1 2 3 4 5 6 7 8 9 10; do
        sudo machinectl status hm1nd >/dev/null 2>&1 && break
        sleep 0.5
    done
fi
echo "  hm1nd is up ✓"

cleanup

echo "=== spawn ${AGENT} ==="
sudo hive-c0re spawn "$AGENT"

echo "=== two-repo split visible ==="
echo "  proposed (manager-editable):"
sudo ls -la "/var/lib/hyperhive/agents/${AGENT}/config/" | sed 's/^/    /'
echo "  applied (hive-c0re only):"
sudo ls -la "/var/lib/hyperhive/applied/${AGENT}/" | sed 's/^/    /'

echo "=== manager cannot see the applied repo ==="
if sudo nixos-container run hm1nd -- ls "/var/lib/hyperhive/applied/${AGENT}" 2>/dev/null; then
    echo "FAIL: manager can see applied/ — bind-mount leak"
    exit 1
fi
echo "  manager has no path to applied/ ✓"

echo "=== ${PKG} not installed in h-${AGENT} (pre-approve) ==="
if sudo nixos-container run "h-${AGENT}" -- which "$PKG" 2>/dev/null; then
    echo "FAIL: ${PKG} already in path"
    exit 1
fi
echo "  not in path ✓"

echo "=== manager: edit agent.nix + commit + request_apply_commit ==="
sudo nixos-container run hm1nd -- bash -c "
    set -euo pipefail
    cd /agents/${AGENT}/config
    cat > agent.nix <<'EOF'
{ pkgs, ... }:
{
  environment.systemPackages = [ pkgs.${PKG} ];
}
EOF
    git commit -am 'add ${PKG}'
    SHA=\$(git rev-parse HEAD)
    echo \"  manager commit SHA=\$SHA\"
    hive-m1nd request-apply-commit ${AGENT} \$SHA
"

echo "=== pending approvals ==="
sudo hive-c0re pending

ID=$(sudo hive-c0re pending \
    | python3 -c 'import sys,json;print(json.load(sys.stdin)["approvals"][-1]["id"])')
echo "  using approval id ${ID}"

echo "=== approve ${ID} (advances applied/main + rebuilds h-${AGENT}) ==="
sudo hive-c0re approve "$ID"

echo "=== verify ${PKG} now in path ==="
sudo nixos-container run "h-${AGENT}" -- which "$PKG"

echo "=== applied repo git log ==="
sudo git -C "/var/lib/hyperhive/applied/${AGENT}" log --oneline -5

echo "=== approvals table ==="
if command -v sqlite3 >/dev/null; then
    sudo sqlite3 /var/lib/hyperhive/broker.sqlite \
        "SELECT id, agent, substr(commit_ref,1,12) AS sha, status FROM approvals ORDER BY id DESC LIMIT 5;"
else
    echo "  (sqlite3 not on host PATH — skip)"
fi

echo
read -r -p "press enter to tear down, Ctrl-C to leave running: "
cleanup