#!/usr/bin/env bash
# Install Moonlight on macOS via Homebrew cask.
# Standalone: does not source lib/common.sh (intended to run on a Mac that
# may not have the full repo checked out yet).

set -euo pipefail

if [[ -t 1 ]]; then
  BOLD=$'\033[1m'
  RED=$'\033[31m'
  GREEN=$'\033[32m'
  YELLOW=$'\033[33m'
  BLUE=$'\033[34m'
  RESET=$'\033[0m'
else
  BOLD="" RED="" GREEN="" YELLOW="" BLUE="" RESET=""
fi

step() { printf '\n%s==>%s %s%s%s\n' "$BLUE" "$RESET" "$BOLD" "$*" "$RESET"; }
info() { printf '  %s\n' "$*"; }
ok()   { printf '  %s✓%s %s\n' "$GREEN" "$RESET" "$*"; }
warn() { printf '  %s!%s %s\n' "$YELLOW" "$RESET" "$*" >&2; }
err()  { printf '  %s✗%s %s\n' "$RED" "$RESET" "$*" >&2; }

# Refuse to run anywhere but macOS.
if [[ "$(uname -s)" != "Darwin" ]]; then
  err "This script only runs on macOS (Darwin). Detected: $(uname -s)"
  exit 1
fi

step "Checking for Homebrew"
if ! command -v brew >/dev/null 2>&1; then
  err "Homebrew is not installed."
  info "Install it with the official one-liner, then re-run this script:"
  info ""
  info '  /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"'
  info ""
  info "See https://brew.sh for details."
  exit 1
fi
ok "Homebrew found: $(command -v brew)"

step "Installing Moonlight (brew cask)"
# brew install --cask is idempotent: re-running on an already-installed cask
# is a no-op and exits 0.
if brew install --cask moonlight; then
  ok "Moonlight installed (or already present)."
else
  err "brew install --cask moonlight failed."
  warn "Try: brew update && brew install --cask moonlight"
  exit 1
fi

# --- CA trust install (1Password-backed) ------------------------------------
# If `op` is available and signed in, fetch the omarchy-stream Root CA from
# 1Password and add it to the System keychain as a trusted root. This makes
# Safari / Chrome / curl trust the Sunshine web UI on every host without the
# self-signed warning. Skip cleanly if op isn't available or not signed in;
# the user can re-run after `eval $(op signin)`.
SKIP_CA="${SKIP_CA:-0}"
OP_VAULT="${OP_VAULT:-Private}"
OP_CA_ITEM="${OP_CA_ITEM:-Omarchy-Stream Root CA}"

if [[ $SKIP_CA -eq 1 ]]; then
  info "Skipping CA install (SKIP_CA=1)"
elif ! command -v op >/dev/null 2>&1; then
  info "1Password CLI ('op') not found. Skipping CA trust install."
  info "Install it from https://1password.com/downloads/command-line/ and re-run for trusted certs."
elif ! op whoami >/dev/null 2>&1; then
  info "1Password CLI is not signed in. Skipping CA trust install."
  info "Sign in with 'eval \$(op signin)' and re-run for trusted certs."
else
  step "Installing omarchy-stream CA into System keychain"
  ca_tmp="$(mktemp -t omarchy-ca.XXXXXX.pem)"
  trap 'rm -f "$ca_tmp"' EXIT
  if op read --no-newline "op://${OP_VAULT}/${OP_CA_ITEM}/cert" >"$ca_tmp" 2>/dev/null && [[ -s "$ca_tmp" ]]; then
    info "Fetched CA from 1Password (vault: ${OP_VAULT})"
    info "Adding to /Library/Keychains/System.keychain — you may be prompted for your password."
    if sudo security add-trusted-cert -d -r trustRoot \
         -k /Library/Keychains/System.keychain "$ca_tmp"; then
      ok "CA installed as trusted root."
    else
      warn "security add-trusted-cert failed. You can add the cert manually via Keychain Access."
    fi
  else
    warn "Could not read 'cert' field from item '${OP_CA_ITEM}' in vault '${OP_VAULT}'."
    warn "Run scripts/cert-bootstrap.sh on a Linux host first, then re-run this script."
  fi
fi

step "Next steps"
info "App location:  /Applications/Moonlight.app"
info "Launch:        open -a Moonlight"
info ""
info "Pair this Mac with your Sunshine host by following the walkthrough in:"
info "  client/README.md"
info ""
ok "Done."