#!/usr/bin/env bash
# vault.sh — ClaudeTools wrapper for the SOPS vault.
#
# Reads vault_path from .claude/identity.json (per-machine, gitignored).
# Delegates all arguments to the real vault.sh in that directory.
#
# Usage (from any directory):
#   bash "$(git -C "$(dirname "${BASH_SOURCE[0]}")" rev-parse --show-toplevel)/.claude/scripts/vault.sh" get-field <path> <field>
#
# Or set CLAUDETOOLS_ROOT and call directly:
#   bash "$CLAUDETOOLS_ROOT/.claude/scripts/vault.sh" get-field <path> <field>

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
CLAUDETOOLS_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
IDENTITY_FILE="$CLAUDETOOLS_ROOT/.claude/identity.json"

if [[ ! -f "$IDENTITY_FILE" ]]; then
    echo "[ERROR] .claude/identity.json not found at $IDENTITY_FILE" >&2
    echo "        Run onboarding to create it, or add vault_path manually." >&2
    exit 1
fi

# Extract vault_path from identity.json — jq first, then Python with path conversion
VAULT_ROOT=""
if command -v jq >/dev/null 2>&1; then
    VAULT_ROOT=$(jq -r '.vault_path // empty' "$IDENTITY_FILE" 2>/dev/null)
fi
if [[ -z "$VAULT_ROOT" ]]; then
    IDENTITY_FILE_FOR_PY="$IDENTITY_FILE"
    command -v cygpath >/dev/null 2>&1 && IDENTITY_FILE_FOR_PY=$(cygpath -m "$IDENTITY_FILE")
    for py in py python3 python; do
        if command -v "$py" >/dev/null 2>&1; then
            VAULT_ROOT=$("$py" -c "import json,sys; d=json.load(open(r'$IDENTITY_FILE_FOR_PY')); print(d.get('vault_path',''))" 2>/dev/null) && break
        fi
    done
fi

if [[ -z "$VAULT_ROOT" ]]; then
    echo "[ERROR] vault_path not set in $IDENTITY_FILE" >&2
    echo "        Add: \"vault_path\": \"/path/to/vault\"" >&2
    exit 1
fi

REAL_VAULT_SH="$VAULT_ROOT/scripts/vault.sh"

if [[ ! -f "$REAL_VAULT_SH" ]]; then
    echo "[ERROR] vault.sh not found at $REAL_VAULT_SH" >&2
    echo "        Check vault_path in $IDENTITY_FILE" >&2
    exit 1
fi

exec bash "$REAL_VAULT_SH" "$@"