import fs from 'fs';
import path from 'path';
import { execFileSync } from 'child_process';

function parseDotenv(contents: string) {
  contents
    .split('\n')
    .map((line) => line.trim())
    .filter((line) => line && !line.startsWith('#'))
    .forEach((line) => {
      const idx = line.indexOf('=');
      if (idx === -1) return;
      const key = line.slice(0, idx).trim();
      let value = line.slice(idx + 1).trim();
      if (!key || key in process.env) return;
      if ((value.startsWith('"') && value.endsWith('"')) || (value.startsWith("'") && value.endsWith("'"))) {
        value = value.slice(1, -1);
      }
      process.env[key] = value;
    });
}

export function loadLocalSecrets() {
  const root = process.cwd();
  const plainPath = path.join(root, 'creds', 'secrets.env');
  const encPath = path.join(root, 'creds', 'secrets.enc.env');

  if (fs.existsSync(plainPath)) {
    try {
      parseDotenv(fs.readFileSync(plainPath, 'utf8'));
      return;
    } catch {
      // ignore and try encrypted
    }
  }

  if (fs.existsSync(encPath) && !process.env.SKIP_SOPS_AUTOLOAD) {
    try {
      const output = execFileSync('sops', ['-d', encPath], { encoding: 'utf8' });
      parseDotenv(output);
    } catch {
      // silent fail if sops/key not available
    }
  }
}