SHELL := /usr/bin/env bash
.DEFAULT_GOAL := help

# Operator age public key — used as bundle encryption recipient
OPERATOR_AGE_PUBKEY := $(shell cat keys/age.pub 2>/dev/null | tr -d '[:space:]')
SECURITY_BOOTSTRAP_METADATA ?= $(if $(METADATA),$(METADATA),.local/security-bootstrap.json)
SECURITY_BOOTSTRAP_HOST ?= $(if $(HOST),$(HOST),127.0.0.1)
SECURITY_BOOTSTRAP_PORT ?= $(if $(PORT),$(PORT),8876)
OPENBAO_RESTORE_EVIDENCE ?= /tmp/netkingdom-openbao-restore-drill/evidence.json
OPENBAO_EMERGENCY_EVIDENCE ?= /tmp/netkingdom-openbao-emergency-drill/evidence.json
BOOTSTRAP_CLEANUP_EVIDENCE ?= /tmp/netkingdom-bootstrap-cleanup/evidence.json
LIFECYCLE_FLOW_EVIDENCE ?= /tmp/netkingdom-lifecycle-flow/evidence.json
ONBOARDING_DRY_RUN_EVIDENCE ?= /tmp/netkingdom-onboarding-dry-run/evidence.json
RAILIANCE_PLATFORM_PATH ?= ../railiance-platform
CUSTODY_ROSTER ?= .local/custody-roster.json
CUSTODY_ROSTER_SIGNATURE ?= .local/custody-roster.json.sig
CUSTODY_ROSTER_ALLOWED_SIGNERS ?= .local/custody-roster.allowed_signers
CUSTODY_ROSTER_SIGNING_KEY ?= $(HOME)/.ssh/id_custodian_agent
CUSTODY_ROSTER_SIGNING_PRINCIPAL ?= platform-custodian

# ── Help ──────────────────────────────────────────────────────────────────────
help: ## Show this help
	@echo "net-kingdom — available targets"
	@echo ""
	@grep -E '^[a-zA-Z0-9_-]+:.*?## ' $(MAKEFILE_LIST) \
	  | sort \
	  | awk 'BEGIN {FS = ":.*?## "}; {printf "  %-28s %s\n", $$1, $$2}'

# ── Git hooks ─────────────────────────────────────────────────────────────────
hooks: ## Configure git to use repo-local hooks (.githooks)
	@mkdir -p .githooks
	git config core.hooksPath .githooks
	@test -f .githooks/pre-commit \
	  || (echo "ERROR: .githooks/pre-commit not found"; exit 1)
	chmod +x .githooks/pre-commit
	@echo "✔ git hooks enabled (.githooks/pre-commit is active)"

hooks-test: ## Test that the pre-commit hook blocks plaintext secrets
	@mkdir -p sso-mfa/bootstrap/secrets/_hooktest
	@echo 'PI_SECRET_KEY=deadbeef' > sso-mfa/bootstrap/secrets/_hooktest/test.env
	@git add sso-mfa/bootstrap/secrets/_hooktest/test.env 2>/dev/null || true
	@if git commit -m "TEST: hook must block this" 2>/dev/null; then \
	  echo "FAIL: hook did NOT block plaintext commit"; \
	  git reset --soft HEAD~1 2>/dev/null || true; \
	else \
	  echo "✔ Hook blocked plaintext as expected"; \
	fi
	@git restore --staged sso-mfa/bootstrap/secrets/_hooktest/test.env 2>/dev/null || true
	@rm -rf sso-mfa/bootstrap/secrets/_hooktest

# ── SOPS / age ────────────────────────────────────────────────────────────────
sops-setup: ## Legacy dev-local setup: copy age key to SOPS default path
	@mkdir -p ~/.config/sops/age
	@if [[ -f ~/.config/age/key.txt ]]; then \
	  cp -n ~/.config/age/key.txt ~/.config/sops/age/keys.txt || true; \
	  chmod 600 ~/.config/sops/age/keys.txt; \
	  echo "✔ SOPS key ready at ~/.config/sops/age/keys.txt"; \
	elif [[ -f ~/.config/sops/age/keys.txt ]]; then \
	  echo "✔ SOPS key already present at ~/.config/sops/age/keys.txt"; \
	else \
	  echo "ERROR: age key not found at ~/.config/age/key.txt"; \
	  echo "       Generate one with: age-keygen -o ~/.config/age/key.txt"; \
	  exit 1; \
	fi

sops-edit: ## Edit an encrypted file with SOPS: make sops-edit FILE=secrets/foo.yaml
	@[[ -n "$(FILE)" ]] || (echo "Usage: make sops-edit FILE=secrets/path/to/file.yaml"; exit 1)
	sops $(FILE)

sops-encrypt: ## Encrypt a file in place: make sops-encrypt FILE=secrets/foo.yaml
	@[[ -n "$(FILE)" ]] || (echo "Usage: make sops-encrypt FILE=secrets/path/to/file.yaml"; exit 1)
	sops --encrypt --in-place $(FILE)
	@echo "✔ Encrypted $(FILE)"

sops-decrypt: ## Decrypt a file to stdout (never writes plaintext to disk): make sops-decrypt FILE=secrets/foo.yaml
	@[[ -n "$(FILE)" ]] || (echo "Usage: make sops-decrypt FILE=secrets/path/to/file.yaml"; exit 1)
	sops -d $(FILE)

sops-rotate: ## Rotate SOPS recipients after updating .sops.yaml: make sops-rotate FILE=secrets/foo.yaml
	@[[ -n "$(FILE)" ]] || (echo "Usage: make sops-rotate FILE=secrets/path/to/file.yaml"; exit 1)
	sops --rotate --in-place $(FILE)
	@echo "✔ Recipients rotated for $(FILE)"

sops-custody-check: ## Validate a custody age key against keys/age.pub without keeping it on disk
	@bash sso-mfa/bootstrap/sops-custody-unlock.sh \
	  --expected-recipient "$(OPERATOR_AGE_PUBKEY)" \
	  --check-only

sops-custody-shell: ## Open a shell with a temporary SOPS_AGE_KEY_FILE from custody material
	@bash sso-mfa/bootstrap/sops-custody-unlock.sh \
	  --expected-recipient "$(OPERATOR_AGE_PUBKEY)"

sops-custody-run: ## Run COMMAND with a temporary custody age key: make sops-custody-run COMMAND='make -C ../inter-hub recovery-drill'
	@[[ -n "$(COMMAND)" ]] || (echo "Usage: make sops-custody-run COMMAND='make -C ../inter-hub recovery-drill'"; exit 1)
	@COMMAND='$(COMMAND)' bash sso-mfa/bootstrap/sops-custody-unlock.sh \
	  --expected-recipient "$(OPERATOR_AGE_PUBKEY)" \
	  -- bash -lc "$$COMMAND"

check-secrets: ## Fail if any file under secrets/ is not SOPS-encrypted
	@echo "Checking for unencrypted files under secrets/..."
	@bad=0; \
	while IFS= read -r f; do \
	  [[ -z "$$f" ]] && continue; \
	  if grep -qE '^[[:space:]]*sops:[[:space:]]*$$|"sops"[[:space:]]*:' "$$f" 2>/dev/null; then \
	    continue; \
	  fi; \
	  case "$$f" in *.age|*.gpg) continue ;; esac; \
	  echo "  UNENCRYPTED: $$f"; bad=1; \
	done < <(git ls-files --others --cached 'secrets' 2>/dev/null | grep -v '/$'); \
	if [[ "$$bad" -ne 0 ]]; then \
	  echo ""; \
	  echo "ERROR: Unencrypted secret(s) detected. Encrypt with: sops --encrypt --in-place <file>"; \
	  exit 1; \
	fi; \
	echo "✔ All secrets/ files appear SOPS-encrypted"

# ── Credential lifecycle ──────────────────────────────────────────────────────
creds-init: sops-setup hooks ## One-time setup: verify prerequisites, configure SOPS and git hooks
	@echo "=== creds-init: checking prerequisites ==="
	@command -v age  >/dev/null 2>&1 || (echo "ERROR: age not installed  (apt install age)"; exit 1)
	@command -v sops >/dev/null 2>&1 || (echo "ERROR: sops not installed (see https://github.com/getsops/sops/releases)"; exit 1)
	@command -v kubectl >/dev/null 2>&1 \
	  && echo "✔ kubectl found" \
	  || echo "WARN: kubectl not found (required for creds-apply/verify)"
	@test -f ~/.config/sops/age/keys.txt \
	  || (echo "ERROR: age key not found — run 'make sops-setup' after placing your key at ~/.config/age/key.txt"; exit 1)
	@echo ""
	@echo "✔ creds-init complete. Next: make creds-generate"

creds-generate: ## Generate all service secrets and print KeePassXC entry guide
	@command -v openssl >/dev/null 2>&1 || (echo "ERROR: openssl not found"; exit 1)
	cd sso-mfa/bootstrap && bash gen-secrets.sh
	@sed -i "s|^generated_at: .*|generated_at: $$(date -Iseconds)|" sso-mfa/bootstrap/creds-state.yaml
	@echo ""
	@echo "State: generated_at updated in sso-mfa/bootstrap/creds-state.yaml"
	@echo "Next : enter values into KeePassXC, then set keepass_confirmed: true"
	@echo "       Run 'make creds-bundle' to create an encrypted offsite backup."

creds-bundle: ## Age-encrypt the ops bundle for offsite storage
	@[[ -n "$(OPERATOR_AGE_PUBKEY)" ]] \
	  || (echo "ERROR: keys/age.pub not found — cannot determine encryption recipient"; exit 1)
	@[[ -d sso-mfa/bootstrap/secrets ]] \
	  || (echo "ERROR: sso-mfa/bootstrap/secrets/ not found — run 'make creds-generate' first"; exit 1)
	cd sso-mfa/bootstrap && bash pack-bundle.sh secrets "$(OPERATOR_AGE_PUBKEY)"
	@sed -i "s|^bundle_at: .*|bundle_at: $$(date -Iseconds)|" sso-mfa/bootstrap/creds-state.yaml
	@echo ""
	@echo "State: bundle_at updated in sso-mfa/bootstrap/creds-state.yaml"
	@echo "Store the .tar.age bundle offsite (external drive, encrypted cloud, second location)."

creds-apply: ## Apply all create-secrets.sh scripts to the cluster in dependency order
	bash sso-mfa/bootstrap/creds-apply.sh

creds-verify: ## Check all expected K8s secrets exist and update creds-state.yaml
	bash sso-mfa/bootstrap/creds-verify.sh

creds-status: ## Print human-readable credential state from creds-state.yaml
	bash sso-mfa/bootstrap/creds-status.sh

creds-rotate: ## Guided rotation for one secret: make creds-rotate SECRET=<name>
	@[[ -n "$(SECRET)" ]] \
	  || (echo "Usage: make creds-rotate SECRET=<name>"; \
	      echo ""; \
	      echo "Known secrets:"; \
	      echo "  PI_SECRET_KEY  PI_PEPPER  PI_DB_PASSWORD  LLDAP_JWT_SECRET"; \
	      echo "  LLDAP_LDAP_USER_PASS  AUTHELIA_SESSION_SECRET"; \
	      echo "  AUTHELIA_KEYCAPE_CLIENT_SECRET  KEYCAPE_RSA_KEY"; \
	      echo "  BREAKGLASS_PASSWORD"; \
	      exit 1)
	SECRET=$(SECRET) bash sso-mfa/bootstrap/creds-rotate.sh

## ── Agent-driven credential lifecycle (NK-WP-0005) ──────────────────────────

creds-agent-init: ## Fully automated credential bootstrap — generates, encrypts, injects, delivers emergency bundle
	@bash sso-mfa/bootstrap/creds-bootstrap-agent.sh

creds-agent-status: ## Show current v2 bootstrap state (agent mode)
	@bash sso-mfa/bootstrap/creds-status.sh --v2

creds-emergency-reprint: ## Re-deliver emergency bundle (if lost/stolen — reprints, rotates nothing)
	@bash sso-mfa/bootstrap/emergency-bundle.sh --reprint

iam-profile-conformance-test: ## Run IAM Profile v0.2 conformance fixture tests
	python3 -m pytest tools/iam-profile-conformance/tests

playbook-contract-test: ## Run Playbook Capability Contract fixture tests
	python3 -m pytest tools/playbook-capability-contract/tests

security-bootstrap-console-test: ## Run automated tests for bootstrap console UI/sections/runbooks (NET-WP-0018-T07)
	python3 -m pytest tools/security-bootstrap-console/tests

# Syntax check for key bootstrap helper scripts (part of T07 layered tests)
security-bootstrap-scripts-syntax: ## Shell syntax check for bootstrap scripts
	bash -n sso-mfa/k8s/lldap/dry-run-nonroot-user.sh
	bash -n sso-mfa/k8s/lldap/create-user.sh
	bash -n sso-mfa/k8s/lldap/break-glass.sh || true  # may have env assumptions
	@echo "✔ bootstrap scripts syntax OK"

security-bootstrap-validate-keycape-client: ## Validate KeyCape OpenBao client definition+deployment (T08)
	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
	  --metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
	  validate-keycape-client || true

security-bootstrap-console: security-bootstrap-metadata-init ## Show guided security bootstrap status and safe actions
	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
	  --metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
	  status

security-bootstrap-king-kit: ## Print the king credential kit checklist
	python3 tools/security-bootstrap-console/security_bootstrap_console.py king-kit

security-bootstrap-validate-kit: ## Validate non-secret king credential metadata
	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
	  --metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
	  validate-king-kit

security-bootstrap-validate-t02: ## Validate NET-WP-0017-T02 OpenBao audit/recovery gates
	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
	  --metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
	  validate-t02 \
	  --railiance-path "$(RAILIANCE_PLATFORM_PATH)" \
	  --restore-evidence "$(OPENBAO_RESTORE_EVIDENCE)" \
	  --emergency-evidence "$(OPENBAO_EMERGENCY_EVIDENCE)" \
	  --custody-roster "$(CUSTODY_ROSTER)" \
	  --custody-roster-signature "$(CUSTODY_ROSTER_SIGNATURE)" \
	  --custody-roster-allowed-signers "$(CUSTODY_ROSTER_ALLOWED_SIGNERS)"

security-bootstrap-validate-cleanup: ## Validate NET-WP-0017-T03/T04 cleanup and taint evidence
	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
	  --metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
	  validate-cleanup \
	  --evidence "$(BOOTSTRAP_CLEANUP_EVIDENCE)"

security-bootstrap-validate-lifecycle-flow: ## Validate NET-WP-0017-T05 lifecycle operator-flow evidence
	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
	  validate-lifecycle-flow \
	  --evidence "$(LIFECYCLE_FLOW_EVIDENCE)"

security-bootstrap-validate-onboarding-dry-run: ## Validate NET-WP-0017-T06 non-root onboarding dry-run evidence
	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
	  validate-onboarding-dry-run \
	  --evidence "$(ONBOARDING_DRY_RUN_EVIDENCE)"

security-bootstrap-custody-roster-template: ## Print a non-secret two-of-three custody roster template
	python3 tools/security-bootstrap-console/security_bootstrap_console.py custody-roster-template

security-bootstrap-cleanup-evidence-template: ## Print non-secret NET-WP-0017-T03/T04 cleanup and taint evidence JSON template
	python3 tools/security-bootstrap-console/security_bootstrap_console.py cleanup-evidence-template

security-bootstrap-lifecycle-flow-template: ## Print non-secret NET-WP-0017-T05 lifecycle operator-flow evidence JSON template
	python3 tools/security-bootstrap-console/security_bootstrap_console.py lifecycle-flow-template

security-bootstrap-lifecycle-guide: ## Print the practical T05 operator flow guide (onboard/lock/offboard/review/fabric-admin with previews + commands)
	python3 tools/security-bootstrap-console/security_bootstrap_console.py lifecycle-guide

security-bootstrap-onboarding-dry-run-template: ## Print non-secret NET-WP-0017-T06 onboarding dry-run evidence JSON template (use to start T06 evidence after running the lifecycle flow)
	python3 tools/security-bootstrap-console/security_bootstrap_console.py onboarding-dry-run-template

security-bootstrap-onboarding-dry-run: ## Run the T06 non-root dry-run orchestrator (see sso-mfa/k8s/lldap/dry-run-nonroot-user.sh and NET-WP-0019). Usage: make ... SUBJECT=foo EMAIL=foo@ex.com DISPLAY="Foo"
	@cd sso-mfa/k8s/lldap && \
	  ./dry-run-nonroot-user.sh $(or $(SUBJECT),t06-dryrun) $(or $(EMAIL),t06-dryrun@coulomb.social) "$(or $(DISPLAY),T06 Dry Run User)" --actor user --scope none

security-bootstrap-lifecycle-cleanup-dryrun-users: ## Clean up dry-run/test users by pattern (NET-WP-0019 T04). Usage: make ... PATTERN=t06-*
	@cd sso-mfa/k8s/lldap && \
	  ./dry-run-nonroot-user.sh --cleanup-only "$(or $(PATTERN),t06-*)"

security-bootstrap-validate-custody-roster: ## Validate and verify the signed local custody roster
	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
	  validate-custody-roster \
	  --roster "$(CUSTODY_ROSTER)" \
	  --signature "$(CUSTODY_ROSTER_SIGNATURE)" \
	  --allowed-signers "$(CUSTODY_ROSTER_ALLOWED_SIGNERS)"

security-bootstrap-sign-custody-roster: ## Sign the ignored local custody roster with an SSH signing key
	@mkdir -p "$$(dirname "$(CUSTODY_ROSTER_ALLOWED_SIGNERS)")"
	@printf '%s ' "$(CUSTODY_ROSTER_SIGNING_PRINCIPAL)" > "$(CUSTODY_ROSTER_ALLOWED_SIGNERS)"
	@cat "$(CUSTODY_ROSTER_SIGNING_KEY).pub" >> "$(CUSTODY_ROSTER_ALLOWED_SIGNERS)"
	ssh-keygen -Y sign \
	  -f "$(CUSTODY_ROSTER_SIGNING_KEY)" \
	  -n netkingdom-custody-roster \
	  "$(CUSTODY_ROSTER)"
	@if [[ "$(CUSTODY_ROSTER_SIGNATURE)" != "$(CUSTODY_ROSTER).sig" ]]; then \
	  cp "$(CUSTODY_ROSTER).sig" "$(CUSTODY_ROSTER_SIGNATURE)"; \
	fi

security-bootstrap-approve-custody: ## Approve custody mode metadata: make security-bootstrap-approve-custody ARGS="--mfa-enrolled-confirmed --mfa-enrollment-source identity-provider --recovery-confirmed --custody-packet-prepared --no-secret-capture-confirmed"
	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
	  --metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
	  approve-custody-mode \
	  --mode "$(if $(MODE),$(MODE),temporary-single-king)" \
	  $(ARGS)

security-bootstrap-custody-packet: ## Print a blank offline custody packet template
	python3 tools/security-bootstrap-console/security_bootstrap_console.py custody-packet

security-bootstrap-openbao-preflight: ## Show safe OpenBao preflight commands
	python3 tools/security-bootstrap-console/security_bootstrap_console.py openbao-preflight \
	  --railiance-path ../railiance-platform

security-bootstrap-metadata-init: ## Create durable local non-secret bootstrap metadata if missing
	@mkdir -p "$$(dirname "$(SECURITY_BOOTSTRAP_METADATA)")"
	@if [[ -f "$(SECURITY_BOOTSTRAP_METADATA)" ]]; then \
	  echo "✔ Metadata already exists: $(SECURITY_BOOTSTRAP_METADATA)"; \
	elif [[ -f /tmp/net-kingdom-security-bootstrap.json ]]; then \
	  cp /tmp/net-kingdom-security-bootstrap.json "$(SECURITY_BOOTSTRAP_METADATA)"; \
	  echo "✔ Imported previous /tmp bootstrap metadata to $(SECURITY_BOOTSTRAP_METADATA)"; \
	else \
	  python3 tools/security-bootstrap-console/security_bootstrap_console.py metadata-template \
	    > "$(SECURITY_BOOTSTRAP_METADATA)"; \
	  echo "✔ Created metadata: $(SECURITY_BOOTSTRAP_METADATA)"; \
	fi

security-bootstrap-ui: security-bootstrap-metadata-init ## Serve local custody approval UI on localhost:8876: make security-bootstrap-ui
	python3 tools/security-bootstrap-console/security_bootstrap_console.py \
	  --metadata "$(SECURITY_BOOTSTRAP_METADATA)" \
	  web-ui \
	  --host "$(SECURITY_BOOTSTRAP_HOST)" \
	  --port "$(SECURITY_BOOTSTRAP_PORT)"

.PHONY: help hooks hooks-test sops-setup sops-edit sops-encrypt sops-decrypt sops-rotate \
        check-secrets creds-init creds-generate creds-bundle creds-apply creds-verify \
        creds-status creds-rotate \
        creds-agent-init creds-agent-status creds-emergency-reprint \
        iam-profile-conformance-test playbook-contract-test \
        security-bootstrap-console-test security-bootstrap-scripts-syntax \
        security-bootstrap-console security-bootstrap-king-kit \
        security-bootstrap-validate-kit security-bootstrap-validate-t02 \
        security-bootstrap-validate-cleanup \
        security-bootstrap-validate-lifecycle-flow \
        security-bootstrap-validate-onboarding-dry-run \
        security-bootstrap-validate-keycape-client \
        security-bootstrap-custody-roster-template \
        security-bootstrap-cleanup-evidence-template \
        security-bootstrap-lifecycle-flow-template \
        security-bootstrap-lifecycle-guide \
        security-bootstrap-onboarding-dry-run-template \
        security-bootstrap-onboarding-dry-run \
        security-bootstrap-lifecycle-cleanup-dryrun-users \
        security-bootstrap-validate-custody-roster \
        security-bootstrap-sign-custody-roster \
        security-bootstrap-approve-custody \
        security-bootstrap-custody-packet security-bootstrap-openbao-preflight \
        security-bootstrap-metadata-init security-bootstrap-ui \
        security-bootstrap-console-test security-bootstrap-scripts-syntax \
        security-bootstrap-validate-keycape-client
