#!/usr/bin/env bash
set -eo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
PACKAGE_NIX="$PROJECT_ROOT/nix/package.nix"

# lib.fakeHash — a structurally valid but incorrect sha256 that forces Nix
# to report the actual hash of whatever it fetches.
FAKE_HASH="sha256-AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="

# ---------------------------------------------------------------------------
# Platform check
# ---------------------------------------------------------------------------
# The Nix flake only targets x86_64-linux / aarch64-linux.  pnpm fetchDeps
# downloads platform-specific optional packages (e.g. @esbuild/darwin-arm64
# vs @esbuild/linux-arm64), so a macOS pnpm fetch produces a different hash
# than a Linux one.  This script must run on Linux or use a remote Linux
# Nix builder to produce the correct hash.
# ---------------------------------------------------------------------------
if [[ "$(uname)" == "Darwin" ]]; then
    echo "WARNING: This script should run on Linux (or via a Linux Nix remote builder)."
    echo ""
    echo "The Nix flake targets x86_64-linux/aarch64-linux only.  When pnpm fetches"
    echo "on macOS it downloads darwin-specific optional packages (@esbuild/darwin-arm64,"
    echo "etc.), producing a different hash than the Linux build expects."
    echo ""
    echo "Options:"
    echo "  1. SSH into a Linux machine and run this script there"
    echo "  2. Configure a Linux Nix remote builder in ~/.config/nix/nix.conf"
    echo "  3. Push to CI, copy the correct hash from the build error output,"
    echo "     then update nix/package.nix manually"
    echo ""
    read -p "Continue anyway (e.g. you have a remote builder configured)? [y/N] " -n 1 -r
    echo
    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
        exit 0
    fi
fi

echo "Updating pnpmDeps hash in nix/package.nix..."

# Extract current hash
CURRENT_HASH=$(grep -oP '(?<=hash = ")[^"]+' "$PACKAGE_NIX")
echo "  Current: $CURRENT_HASH"

# Swap in the fake hash so Nix is forced to compute and report the real one
if [[ "$(uname)" == "Darwin" ]]; then
    sed -i '' "s|$CURRENT_HASH|$FAKE_HASH|" "$PACKAGE_NIX"
else
    sed -i "s|$CURRENT_HASH|$FAKE_HASH|" "$PACKAGE_NIX"
fi

echo "  Running: nix build .#packages.x86_64-linux.default"
echo "  (Nix will fail with a hash mismatch — that is expected)"

BUILD_OUTPUT=$(nix build .#packages.x86_64-linux.default 2>&1 || true)

# Nix prints: "    got:    sha256-<actual hash>"
NEW_HASH=$(echo "$BUILD_OUTPUT" | grep "got:" | awk '{print $NF}' | head -1)

if [ -z "$NEW_HASH" ]; then
    echo ""
    echo "ERROR: Could not parse the correct hash from nix output."
    echo ""
    echo "Full build output:"
    echo "$BUILD_OUTPUT"
    echo ""
    echo "Restoring original hash..."
    if [[ "$(uname)" == "Darwin" ]]; then
        sed -i '' "s|$FAKE_HASH|$CURRENT_HASH|" "$PACKAGE_NIX"
    else
        sed -i "s|$FAKE_HASH|$CURRENT_HASH|" "$PACKAGE_NIX"
    fi
    exit 1
fi

# Write the real hash back
if [[ "$(uname)" == "Darwin" ]]; then
    sed -i '' "s|$FAKE_HASH|$NEW_HASH|" "$PACKAGE_NIX"
else
    sed -i "s|$FAKE_HASH|$NEW_HASH|" "$PACKAGE_NIX"
fi

echo "  Updated: $NEW_HASH"
echo ""
echo "Commit the change:"
echo "  git add nix/package.nix && git commit -m 'chore: adjust pnpmdeps hash'"