#!/bin/sh /etc/rc.common

USE_PROCD=1
START=99
STOP=10

SERVICE_NAME="openclawmgr"

_find_entry() {
	local global_dir="$1"
	local d="${global_dir}/lib/node_modules/openclaw"
	[ -f "${d}/openclaw.mjs" ] && { echo "${d}/openclaw.mjs"; return 0; }
	[ -f "${d}/dist/cli.js" ] && { echo "${d}/dist/cli.js"; return 0; }
	return 1
}

_json_get() {
	local file="$1" expr="$2"
	[ -f "$file" ] || return 0
	command -v jsonfilter >/dev/null 2>&1 || return 0
	jsonfilter -i "$file" -e "$expr" 2>/dev/null || true
}

start_service() {
	config_load openclawmgr
	config_get_bool enabled main enabled 0
	config_get base_dir main base_dir ""
	local port="18789"
	local bind="lan"
	local token=""

	[ "$enabled" -eq 1 ] || return 0
	[ -n "$base_dir" ] || return 1

	local data_dir="${base_dir}/data"
	local config_file="${data_dir}/.openclaw/openclaw.json"
	local json_port json_bind json_token
	json_port="$(_json_get "$config_file" '@.gateway.port')"
	json_bind="$(_json_get "$config_file" '@.gateway.bind')"
	json_token="$(_json_get "$config_file" '@.gateway.auth.token')"
	[ -n "$json_port" ] && port="$json_port"
	[ -n "$json_bind" ] && bind="$json_bind"
	[ -n "$json_token" ] && token="$json_token"

	if echo "$port" | grep -Eq '^[0-9]+$'; then
		if [ "$port" -le 1024 ] 2>/dev/null; then
			logger -t openclawmgr "Refusing to start: unsafe port ${port} (must be >1024)"
			return 1
		fi
	else
		return 1
	fi

	local node_bin="${base_dir}/node/bin/node"
	local global_dir="${base_dir}/global"
	local env_file="${data_dir}/.openclaw/openclaw.env"
	local entry="$(_find_entry "$global_dir")"
	local openai_api_key=""
	local anthropic_api_key=""
	local minimax_api_key=""
	local moonshot_api_key=""

	[ -x "$node_bin" ] || return 1
	[ -n "$entry" ] || return 1
	[ -n "$token" ] || return 1

	mkdir -p "${data_dir}/.openclaw/workspace" 2>/dev/null
	if [ -f "$env_file" ]; then
		# shellcheck disable=SC1090
		. "$env_file"
		openai_api_key="${OPENAI_API_KEY:-}"
		anthropic_api_key="${ANTHROPIC_API_KEY:-}"
		minimax_api_key="${MINIMAX_API_KEY:-}"
		moonshot_api_key="${MOONSHOT_API_KEY:-}"
	fi

	# OpenClaw uses --force to kill conflicting processes, but requires either `lsof`
	# or `fuser`. iStoreOS images may not include them by default.
	local force_opt=""
	# Safety: never allow --force on privileged ports (it could kill SSH/LuCI when ports collide).
	if [ "$port" -gt 1024 ] 2>/dev/null && (command -v lsof >/dev/null 2>&1 || command -v fuser >/dev/null 2>&1); then
		force_opt="--force"
	fi

	local user_opt=""
	if id openclawmgr >/dev/null 2>&1; then
		user_opt="openclawmgr"
	fi
	if [ -n "$user_opt" ]; then
		chown -R "$user_opt:$user_opt" "$data_dir" 2>/dev/null || true
		chmod -R u+rwX "$data_dir" 2>/dev/null || true
	fi

	procd_open_instance "gateway"
	procd_set_param command "$node_bin" "$entry" gateway run --port "$port" --bind "$bind" --auth token --token "$token" --allow-unconfigured $force_opt
	procd_set_param env \
		HOME="$data_dir" \
		OPENCLAW_HOME="$data_dir" \
		OPENCLAW_STATE_DIR="${data_dir}/.openclaw" \
		OPENCLAW_CONFIG_PATH="${data_dir}/.openclaw/openclaw.json" \
		OPENCLAW_GATEWAY_PORT="$port" \
		OPENCLAW_GATEWAY_BIND="$bind" \
		OPENCLAW_GATEWAY_TOKEN="$token" \
		OPENAI_API_KEY="$openai_api_key" \
		ANTHROPIC_API_KEY="$anthropic_api_key" \
		MINIMAX_API_KEY="$minimax_api_key" \
		MOONSHOT_API_KEY="$moonshot_api_key" \
		PATH="${base_dir}/node/bin:${global_dir}/bin:/usr/sbin:/usr/bin:/sbin:/bin"
	[ -n "$user_opt" ] && procd_set_param user "$user_opt"
	procd_set_param respawn 3600 10 5
	procd_set_param stdout 1
	procd_set_param stderr 1
	procd_close_instance
}

service_triggers() {
	procd_add_reload_trigger "openclawmgr"
}
