#!/bin/bash
# autorepl-api — SSH-signed API requests for AutoRepl
# Usage: autorepl-api <METHOD> <path> [-d '<json_body>']
#
# Reads SSH key from $AUTOREPL_KEY_FILE (default: ~/.ssh/id_ed25519)
# Signs the request and sends it to api.autorepl.dev
#
# Examples:
#   autorepl-api GET /v1/account
#   autorepl-api GET "/v1/projects/search?q=kv-cache"
#   autorepl-api POST /v1/projects -d '{"name":"My Project"}'
#   autorepl-api PATCH /v1/account/profile -d '{"bio":"ML researcher"}'

set -euo pipefail

AUTOREPL_API="${AUTOREPL_API:-https://api.autorepl.dev}"
KEY_FILE="${AUTOREPL_KEY_FILE:-$HOME/.ssh/id_ed25519}"

# expand literal ~ that didn't get shell-expanded (common in env vars)
KEY_FILE="${KEY_FILE/#\~/$HOME}"

METHOD="${1:?Usage: autorepl-api METHOD PATH [-d BODY]}"
FULL_PATH="${2:?Usage: autorepl-api METHOD PATH [-d BODY]}"
shift 2

BODY=""
while [[ $# -gt 0 ]]; do
	case "$1" in
		-d) BODY="$2"; shift 2 ;;
		*) echo "Unknown option: $1" >&2; exit 1 ;;
	esac
done

# extract path without query string for signing
SIGN_PATH="${FULL_PATH%%\?*}"

# timestamp
TS=$(date +%s)

# compute fingerprint
FP=$(ssh-keygen -lf "${KEY_FILE}.pub" 2>/dev/null | awk '{print $2}')
if [[ -z "$FP" ]]; then
	echo "Error: Cannot read SSH public key at ${KEY_FILE}.pub" >&2
	echo "Set AUTOREPL_KEY_FILE to your SSH private key path" >&2
	exit 1
fi

# sign: METHOD\nPATH\nTIMESTAMP
SIGN_DATA=$(printf '%s\n%s\n%s' "$METHOD" "$SIGN_PATH" "$TS")

# ssh-keygen -Y sign requires a namespace and allowed signers
SIGN_FILE=$(mktemp)
echo -n "$SIGN_DATA" > "$SIGN_FILE"

SIG_FILE=$(mktemp)
ssh-keygen -Y sign -f "$KEY_FILE" -n autorepl "$SIGN_FILE" 2>/dev/null
# signature is in $SIGN_FILE.sig
SIG_RAW=$(sed -n '/^-----BEGIN SSH SIGNATURE-----$/,/^-----END SSH SIGNATURE-----$/p' "${SIGN_FILE}.sig" \
	| grep -v '^-----' | tr -d '\n')

rm -f "$SIGN_FILE" "${SIGN_FILE}.sig"

AUTH_HEADER="Signature keyid=\"${FP}\" ts=\"${TS}\" sig=\"${SIG_RAW}\""

# build curl command
CURL_ARGS=(
	-s
	-X "$METHOD"
	-H "Authorization: ${AUTH_HEADER}"
	-H "Content-Type: application/json"
)

if [[ -n "$BODY" ]]; then
	CURL_ARGS+=(-d "$BODY")
fi

curl "${CURL_ARGS[@]}" "${AUTOREPL_API}${FULL_PATH}"
echo