//! The typed step vocabulary.
//!
//! Steps are *typed actions*, not raw command strings, so a capability check
//! means something: an executor granted only `deploy`+`restart` rejects a
//! `sign` step before it ever dispatches. The actual command to run still
//! travels in `argv` (and `env`/`cwd`); the `action` is the capability label.

use serde::{Deserialize, Serialize};
use std::path::PathBuf;

/// What a step *does*, for capability gating. The label is independent of the
/// concrete command in `Step::argv` — two different `sign` recipes are both
/// `Action::Sign` and both gated by the `sign` grant.
#[derive(Clone, Debug, PartialEq, Eq, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum Action {
    // Bento (app release)
    Build,
    Sign,
    Notarize,
    Staple,
    Package,
    // Sando (server promotion)
    Deploy,
    Restart,
    Rollback,
    /// Read-only host inspection. Never mutates; gated by the `observe` plane.
    Observe(ObserveKind),
    /// Escape hatch for one-off steps. Still grant-gated: a `Custom` action is
    /// only permitted if the grant explicitly lists that same custom name.
    Custom(String),
}

impl Action {
    /// Is this an actuating (mutating) action, as opposed to observe?
    pub fn is_actuate(&self) -> bool {
        !matches!(self, Action::Observe(_))
    }

    /// The lower-case token used in topology config (`actuate = ["deploy", ...]`).
    /// `None` for `Observe` (those live in the `observe` list under their kind).
    pub fn token(&self) -> Option<String> {
        Some(match self {
            Action::Build => "build".into(),
            Action::Sign => "sign".into(),
            Action::Notarize => "notarize".into(),
            Action::Staple => "staple".into(),
            Action::Package => "package".into(),
            Action::Deploy => "deploy".into(),
            Action::Restart => "restart".into(),
            Action::Rollback => "rollback".into(),
            Action::Custom(s) => s.clone(),
            Action::Observe(_) => return None,
        })
    }

    /// Parse an actuate token from topology config. Unknown tokens become
    /// `Custom` so a config typo is a denied capability, never a silent build
    /// action.
    pub fn actuate_from_token(token: &str) -> Action {
        match token {
            "build" => Action::Build,
            "sign" => Action::Sign,
            "notarize" => Action::Notarize,
            "staple" => Action::Staple,
            "package" => Action::Package,
            "deploy" => Action::Deploy,
            "restart" => Action::Restart,
            "rollback" => Action::Rollback,
            other => Action::Custom(other.to_string()),
        }
    }
}

/// The kinds of read-only host inspection an `observe` grant can cover.
#[derive(Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Serialize, Deserialize)]
#[serde(rename_all = "snake_case")]
pub enum ObserveKind {
    Journal,
    Metrics,
    Health,
    BuildLog,
    Custom(String),
}

impl ObserveKind {
    pub fn token(&self) -> String {
        match self {
            ObserveKind::Journal => "journal".into(),
            ObserveKind::Metrics => "metrics".into(),
            ObserveKind::Health => "health".into(),
            ObserveKind::BuildLog => "build-log".into(),
            ObserveKind::Custom(s) => s.clone(),
        }
    }

    pub fn from_token(token: &str) -> ObserveKind {
        match token {
            "journal" => ObserveKind::Journal,
            "metrics" => ObserveKind::Metrics,
            "health" => ObserveKind::Health,
            "build-log" | "build_log" => ObserveKind::BuildLog,
            other => ObserveKind::Custom(other.to_string()),
        }
    }
}

/// One executable step: a typed action plus the command to run for it.
///
/// `argv` is the command and its arguments (argv[0] is the program). A shell
/// script is just `["/bin/sh", "-c", "<script>"]` — see [`Step::shell`], which
/// is how Sando's multi-statement deploy scripts ride this type.
#[derive(Clone, Debug, Serialize, Deserialize)]
pub struct Step {
    pub action: Action,
    pub argv: Vec<String>,
    #[serde(default)]
    pub env: Vec<(String, String)>,
    #[serde(default)]
    pub cwd: Option<PathBuf>,
}

impl Step {
    /// A step that runs a literal `argv` (no shell).
    pub fn new(action: Action, argv: impl IntoIterator<Item = impl Into<String>>) -> Self {
        Self {
            action,
            argv: argv.into_iter().map(Into::into).collect(),
            env: Vec::new(),
            cwd: None,
        }
    }

    /// A step that runs `script` through `/bin/sh -c` — pipes, `&&`, and
    /// `set -e` all work as written. This is the Sando deploy idiom.
    pub fn shell(action: Action, script: impl Into<String>) -> Self {
        Self {
            action,
            argv: vec!["/bin/sh".into(), "-c".into(), script.into()],
            env: Vec::new(),
            cwd: None,
        }
    }

    pub fn with_env(mut self, key: impl Into<String>, val: impl Into<String>) -> Self {
        self.env.push((key.into(), val.into()));
        self
    }

    pub fn with_cwd(mut self, cwd: impl Into<PathBuf>) -> Self {
        self.cwd = Some(cwd.into());
        self
    }

    /// True when this is a `/bin/sh -c <script>` shell step.
    pub(crate) fn shell_script(&self) -> Option<&str> {
        match self.argv.as_slice() {
            [sh, dash_c, script] if (sh == "/bin/sh" || sh == "sh") && dash_c == "-c" => {
                Some(script.as_str())
            }
            _ => None,
        }
    }
}

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn token_roundtrip() {
        for tok in ["build", "sign", "deploy", "restart", "rollback", "package"] {
            assert_eq!(Action::actuate_from_token(tok).token().as_deref(), Some(tok));
        }
    }

    #[test]
    fn unknown_actuate_token_is_custom_not_build() {
        let a = Action::actuate_from_token("frobnicate");
        assert_eq!(a, Action::Custom("frobnicate".into()));
        assert!(a.is_actuate());
    }

    #[test]
    fn observe_is_not_actuate() {
        assert!(!Action::Observe(ObserveKind::Health).is_actuate());
        assert_eq!(Action::Observe(ObserveKind::Health).token(), None);
    }

    #[test]
    fn shell_step_detected() {
        let s = Step::shell(Action::Deploy, "set -e; echo hi");
        assert_eq!(s.shell_script(), Some("set -e; echo hi"));
        let p = Step::new(Action::Build, ["cargo", "build"]);
        assert_eq!(p.shell_script(), None);
    }
}