#!/usr/bin/env node
// Generate corrosion-nats authorization config from the licenses table.
//
// Per-license isolation without auth-callout: each license maps to a NATS user
// (user = license UUID, password = HMAC-SHA256(license_id, NATS_TOKEN_SECRET))
// whose publish/subscribe is restricted to corrosion.{license_id}.> (+ _INBOX
// for request-reply). The backend uses a privileged internal user.
//
// STAGING (NATS_AUTH_STAGE env):
//   "open"   (default) — defines a full-access `anonymous` user and sets
//                        no_auth_user, so unauthenticated clients still work.
//                        Non-breaking; lets you verify real creds first.
//   "enforce"          — omits no_auth_user; anonymous connections are rejected.
//
// Usage:
//   DATABASE_URL=... NATS_INTERNAL_USER=... NATS_INTERNAL_PASSWORD=... \
//   NATS_TOKEN_SECRET=... NATS_AUTH_STAGE=open node scripts/generate-nats-auth.mjs > docker/nats-auth.conf
//
// Re-run and reload NATS (`docker exec corrosion-nats nats-server --signal reload`)
// whenever licenses change.

import { createRequire } from 'node:module';
import { createHmac } from 'node:crypto';

const require = createRequire(new URL('../backend-nest/x.js', import.meta.url));
const { Client } = require('pg');

const {
  DATABASE_URL,
  NATS_INTERNAL_USER,
  NATS_INTERNAL_PASSWORD,
  NATS_TOKEN_SECRET,
  NATS_AUTH_STAGE = 'open',
} = process.env;

for (const [k, v] of Object.entries({ DATABASE_URL, NATS_INTERNAL_USER, NATS_INTERNAL_PASSWORD, NATS_TOKEN_SECRET })) {
  if (!v) { console.error(`Missing required env: ${k}`); process.exit(2); }
}

/** Per-license agent password — must match the backend's derivation. */
export function licensePassword(licenseId, secret) {
  return createHmac('sha256', secret).update(licenseId).digest('hex');
}

const esc = (s) => String(s).replace(/\\/g, '\\\\').replace(/"/g, '\\"');

const main = async () => {
  const pg = new Client({ connectionString: DATABASE_URL });
  await pg.connect();
  const { rows } = await pg.query('SELECT id FROM licenses ORDER BY created_at');
  await pg.end();

  const lines = [];
  lines.push('# GENERATED by scripts/generate-nats-auth.mjs — do not edit by hand.');
  lines.push(`# stage=${NATS_AUTH_STAGE}  licenses=${rows.length}`);
  lines.push('authorization {');
  lines.push('  users: [');
  // Privileged internal user — the backend (full corrosion.> + _INBOX + _SYS).
  lines.push(`    { user: "${esc(NATS_INTERNAL_USER)}", password: "${esc(NATS_INTERNAL_PASSWORD)}", permissions: { publish: ">", subscribe: ">" } }`);

  // Per-license scoped users.
  for (const { id } of rows) {
    const pw = licensePassword(id, NATS_TOKEN_SECRET);
    const scope = `corrosion.${id}.>`;
    lines.push(
      `    { user: "${esc(id)}", password: "${esc(pw)}", permissions: { ` +
        `publish: { allow: ["${scope}", "_INBOX.>"] }, ` +
        `subscribe: { allow: ["${scope}", "_INBOX.>"] } } }`,
    );
  }

  if (NATS_AUTH_STAGE === 'open') {
    // Transition: unauthenticated clients map to a full-access user so nothing
    // breaks while real credentials roll out. Remove for enforcement.
    lines.push('    { user: "anonymous", password: "", permissions: { publish: ">", subscribe: ">" } }');
  }
  lines.push('  ]');
  if (NATS_AUTH_STAGE === 'open') {
    lines.push('  no_auth_user: "anonymous"');
  }
  lines.push('}');
  process.stdout.write(lines.join('\n') + '\n');
};

main().catch((e) => { console.error(e); process.exit(1); });