import json
import os
from pathlib import Path


def _split_csv_env(name: str) -> list[str]:
    raw = os.getenv(name, "")
    if not raw:
        return []
    return [part.strip() for part in raw.split(",") if part.strip()]


def main() -> int:
    token = os.getenv("OPENCLAW_GATEWAY_TOKEN", "").strip()
    bind_mode = os.getenv("OPENCLAW_GATEWAY_BIND", "lan").strip() or "lan"
    control_ui_base_path = os.getenv("OPENCLAW_CONTROL_UI_BASE_PATH", "/openclaw").strip() or "/openclaw"
    allowed_origins = _split_csv_env("OPENCLAW_ALLOWED_ORIGINS")
    if not allowed_origins:
        # Safe defaults for local diagnostics + HF public Space URL.
        allowed_origins = [
            "http://127.0.0.1:7860",
            "http://localhost:7860",
            "https://researchengineering-agi-assistant.hf.space",
        ]
    trusted_proxies = _split_csv_env("OPENCLAW_TRUSTED_PROXIES")
    if not trusted_proxies:
        trusted_proxies = ["127.0.0.1", "::1"]
    allow_insecure_auth = os.getenv("OPENCLAW_CONTROL_UI_ALLOW_INSECURE_AUTH", "1").strip() in {
        "1",
        "true",
        "True",
        "yes",
        "on",
    }
    disable_device_auth = os.getenv("OPENCLAW_CONTROL_UI_DISABLE_DEVICE_AUTH", "1").strip() in {
        "1",
        "true",
        "True",
        "yes",
        "on",
    }

    state_path = Path("/app/.openclaw/state/openclaw.json")
    state_path.parent.mkdir(parents=True, exist_ok=True)

    data = {}
    if state_path.exists():
        try:
            data = json.loads(state_path.read_text(encoding="utf-8"))
        except Exception:
            data = {}

    gateway = data.get("gateway", {})
    if not isinstance(gateway, dict):
        gateway = {}
    gateway["bind"] = bind_mode

    if token:
        auth = gateway.get("auth", {})
        if not isinstance(auth, dict):
            auth = {}
        auth["token"] = token
        gateway["auth"] = auth

    control_ui = gateway.get("controlUi", {})
    if not isinstance(control_ui, dict):
        control_ui = {}
    control_ui["basePath"] = control_ui_base_path
    control_ui["allowedOrigins"] = allowed_origins
    control_ui["allowInsecureAuth"] = allow_insecure_auth
    # Break-glass for reverse-proxied hosted setups that cannot complete pairing reliably.
    control_ui["dangerouslyDisableDeviceAuth"] = disable_device_auth
    gateway["controlUi"] = control_ui
    gateway["trustedProxies"] = trusted_proxies

    data["gateway"] = gateway

    state_path.write_text(json.dumps(data, indent=2) + "\n", encoding="utf-8")
    print(
        "[bootstrap] gateway settings applied:"
        f" bind={bind_mode}"
        f" basePath={control_ui_base_path}"
        f" allowedOrigins={allowed_origins}"
        f" trustedProxies={trusted_proxies}"
        f" allowInsecureAuth={allow_insecure_auth}"
        f" dangerouslyDisableDeviceAuth={disable_device_auth}"
    )
    return 0


if __name__ == "__main__":
    raise SystemExit(main())