#!/usr/bin/env bash
set -euo pipefail

EVAL_ID=$(openssl rand -hex 4)

echo "================================================="
echo "PRL3 PROOF INSTALLER - EVALUATION MODE"
echo "BLACK-BOX VERIFICATION BUILD"
echo "BUILD: PRL3-PROOF-2026.05-EVAL"
echo "EVALUATION ID: $EVAL_ID"
echo "================================================="

BASE_DIR="/opt/prl3"
LOG_FILE="/var/log/prl3_proof_install.log"
APP_USER="$USER"

exec > >(stdbuf -oL tee -a "$LOG_FILE") 2>&1

export PYTHONUNBUFFERED=1

echo "[1/9] System check..."
source /etc/os-release
if [[ "$VERSION_ID" != "24.04" ]]; then
  echo "ERROR: Ubuntu 24.04 required"
  exit 1
fi
echo "[OK] OS verified: $PRETTY_NAME"

echo ""
echo -n "Enter GROQ_API_KEY: "
GROQ_API_KEY=""
while IFS= read -r -s -n1 char; do
  if [[ $char == $'\0' || $char == $'\n' ]]; then
    break
  elif [[ $char == $'\177' ]]; then
    if [[ -n $GROQ_API_KEY ]]; then
      GROQ_API_KEY="${GROQ_API_KEY%?}"
      echo -ne '\b \b'
    fi
  else
    GROQ_API_KEY+="$char"
    echo -n "*"
  fi
done
echo ""
export GROQ_API_KEY

echo "[2/9] Installing minimal dependencies..."
export DEBIAN_FRONTEND=noninteractive
sudo systemctl stop unattended-upgrades
sudo systemctl daemon-reload
sudo apt-get update -q
sudo apt-get install -y php-cli php-curl python3 python3-venv python3-pip curl wget build-essential
sudo systemctl start unattended-upgrades

echo "[3/9] Creating isolated evaluation directory..."
sudo mkdir -p "$BASE_DIR"/{app,logs,bench,runtime}
sudo chown -R "$APP_USER":"$APP_USER" "$BASE_DIR"

echo "[4/9] Downloading PROOF bundle..."
curl -sSL https://icomnewtechnologies.com/proof/prl3_proof_bundle.tar.gz -o /tmp/prl3_proof.tar.gz
tar -xzf /tmp/prl3_proof.tar.gz -C "$BASE_DIR/app" --strip-components=1

echo "[5/9] Setting up Python environment..."
python3 -m venv "$BASE_DIR/venv"
source "$BASE_DIR/venv/bin/activate"
pip install --upgrade pip -q
pip install -r "$BASE_DIR/app/requirements.txt" -q
pip install requests -q

echo "[6/9] Deploying services (NO KERNEL / NO DKMS)..."
echo "Kernel module DISABLED in PROOF mode"

cat <<EOF | sudo tee /etc/systemd/system/prl3-proxy.service
[Unit]
Description=PRL3 Proof Proxy
After=network.target

[Service]
ExecStart=/usr/bin/php -S 0.0.0.0:8000 -t $BASE_DIR/app/groq_proxy
Restart=always
User=$APP_USER

[Install]
WantedBy=multi-user.target
EOF

cat <<EOF | sudo tee /etc/systemd/system/prl3-embed.service
[Unit]
Description=PRL3 Proof Embed Server
After=network.target

[Service]
WorkingDirectory=$BASE_DIR/app
ExecStart=$BASE_DIR/venv/bin/python $BASE_DIR/app/embed_server.py
Restart=always
User=$APP_USER

[Install]
WantedBy=multi-user.target
EOF

echo "[7/9] Enabling services..."
sudo systemctl daemon-reload
sudo systemctl enable prl3-proxy prl3-embed
sudo systemctl start prl3-proxy prl3-embed

sudo systemctl restart prl3-proxy prl3-embed
sleep 3

echo "[8/9] Locking evaluation environment..."
sudo chmod -R 750 "$BASE_DIR"
sudo chown -R "$APP_USER":"$APP_USER" "$BASE_DIR"

echo "[9/9] Finalizing..."

sleep 3

curl -fsS http://localhost:5001/health >/dev/null \
  && echo "[OK] Embed server healthy" \
  || echo "[FAIL] Embed server failed"

echo ""
systemctl --no-pager --full status prl3-proxy | head -n 8
systemctl --no-pager --full status prl3-embed | head -n 8

echo "================================================="
echo "PRL3 PROOF INSTALL COMPLETE"
echo "================================================="
echo ""
echo "BUILD: PRL3-PROOF-2026.05-EVAL"
echo "EVALUATION ID: $EVAL_ID"
echo "MODE: BLACK-BOX EVALUATION"
echo "NO KERNEL MODULE"
echo "NO SECURE BOOT INTEGRATION"
echo ""
echo "SERVICES:"
echo "- Proxy:  http://localhost:8000"
echo "- Embed:  http://localhost:5001"
echo ""
echo "Running benchmark..."
sleep 5
cd $BASE_DIR/app/bench
$BASE_DIR/venv/bin/python3 benchmark.py

echo ""
echo "Running PRL3 evaluation..."
GROQ_API_KEY=$GROQ_API_KEY $BASE_DIR/venv/bin/python3 prl3_learn.py dataset_medium.json

echo "================================================="
echo ""
cat <<'EOF'

UNINSTALL:
  sudo systemctl stop prl3-proxy prl3-embed
  sudo rm -f /etc/systemd/system/prl3-proxy.service
  sudo rm -f /etc/systemd/system/prl3-embed.service
  sudo systemctl daemon-reload
  sudo rm -rf /opt/prl3

EOF

sleep 1