#!/bin/sh
# ORBTR Agent Installer
# Usage: curl -fsSL https://get.orbtr.io/install.sh | sh
#   With token: curl -fsSL 'https://get.orbtr.io/install.sh?token=<TOKEN>' | sh
set -e

# Require root/sudo
if [ "$(id -u)" -ne 0 ]; then
    echo "ERROR: This installer must be run as root (use sudo)." >&2
    echo "  Usage: curl -fsSL 'https://get.orbtr.io/install.sh' | sudo sh" >&2
    exit 1
fi

ORBTR_BASE="https://get.orbtr.io"
ORBTR_ENDPOINT="https://devices.orbtr.io"
TOKEN=""
TLS_PINS=""

# Detect OS and architecture
OS=$(uname -s | tr '[:upper:]' '[:lower:]')
ARCH=$(uname -m)
case "$ARCH" in
    x86_64|amd64) ARCH="amd64" ;;
    aarch64|arm64) ARCH="arm64" ;;
    *) echo "Unsupported architecture: $ARCH" >&2; exit 1 ;;
esac

echo "Detected: $OS/$ARCH"

# Download binaries
DOWNLOAD_URL="${ORBTR_BASE}/download/${OS}/${ARCH}"
INSTALL_DIR="/usr/local/bin"
TMP_DIR=$(mktemp -d)
trap "rm -rf $TMP_DIR" EXIT

echo "Downloading ORBTR agent..."
curl -fsSL "${DOWNLOAD_URL}?binary=agentd" -o "$TMP_DIR/orbtr-agentd"
chmod +x "$TMP_DIR/orbtr-agentd"

echo "Downloading ORBTR CLI..."
curl -fsSL "${DOWNLOAD_URL}?binary=orbtrctl" -o "$TMP_DIR/orbtrctl"
chmod +x "$TMP_DIR/orbtrctl"

# Verify SHA256 (agentd)
VERSION_INFO=$(curl -fsSL "${ORBTR_BASE}/version?platform=${OS}&arch=${ARCH}")
EXPECTED_SHA=$(echo "$VERSION_INFO" | grep -o '"sha256":"[^"]*"' | cut -d'"' -f4)
if [ -n "$EXPECTED_SHA" ]; then
    ACTUAL_SHA=$(sha256sum "$TMP_DIR/orbtr-agentd" | cut -d' ' -f1)
    if [ "$ACTUAL_SHA" != "$EXPECTED_SHA" ]; then
        echo "SHA256 verification failed!" >&2
        echo "  Expected: $EXPECTED_SHA" >&2
        echo "  Got:      $ACTUAL_SHA" >&2
        exit 1
    fi
    echo "SHA256 verified."
fi

# Install
echo "Installing to $INSTALL_DIR..."
sudo mv "$TMP_DIR/orbtr-agentd" "$INSTALL_DIR/orbtr-agentd"
sudo mv "$TMP_DIR/orbtrctl" "$INSTALL_DIR/orbtrctl"
sudo chmod 755 "$INSTALL_DIR/orbtr-agentd"
sudo chmod 755 "$INSTALL_DIR/orbtrctl"

# Install service
if [ "$OS" = "darwin" ]; then
    sudo orbtr-agentd --install-service
elif command -v systemctl >/dev/null 2>&1; then
    sudo orbtr-agentd --install-service
fi

# Seed TLS pins if provided (enables certificate pinning from first connection)
if [ -n "$TLS_PINS" ]; then
    echo "Seeding TLS certificate pins..."
    orbtr-agentd --tls-pins="$TLS_PINS" 2>/dev/null || true
fi

# Auto-enroll if token provided
if [ -n "$TOKEN" ]; then
    echo "Auto-enrolling with provided token..."
    orbtrctl enroll "$TOKEN"
fi

echo "ORBTR agent installed successfully."
if [ -z "$TOKEN" ]; then
    echo "Enroll with: sudo orbtrctl enroll <TOKEN>"
fi