#!/usr/bin/env bash
# nerf-report -- File a structured report about a nerf tool (bug / bypass reason / complaint / feature request). Writes a Markdown file with auto-captured frontmatter to `~/.nerftools/<brand>/reports/`.
# Generated from nerf-report manifest. Do not edit directly.
# nerf:threat:read=none
# nerf:threat:write=workspace

if [[ "${BASH_VERSINFO[0]:-0}" -lt 4 ]]; then
  echo "error: nerf-report requires bash 4+. Found bash ${BASH_VERSION:-unknown}" >&2
  echo "  hint: on macOS, install a newer bash via 'brew install bash'" >&2
  exit 1
fi

set -euo pipefail

NERFTOOLS_BRAND="nerf"

_NERF_DRY_RUN=""

usage() {
  cat >&2 <<'EOF'
Usage: nerf-report <kind> <tool> <body>

Arguments:
  <kind> (required)
      Report kind
      Allowed values: bug, bypass, complaint, request
  <tool> (required)
      Tool the report is about (e.g. nerf-az-repos-pr-edit), or "nerftools" for the package itself
  <body> (required)
      Free-form prose describing the issue/request. Quote it so it reaches the script as a single argument.

File a structured report about a nerf tool (bug / bypass reason / complaint / feature request). Writes a Markdown file with auto-captured frontmatter to `~/.nerftools/<brand>/reports/`.
EOF
  exit 1
}

while [[ $# -gt 0 ]]; do
  case "$1" in
    --nerf-dry-run) _NERF_DRY_RUN="true"; shift 1 ;;
    -h|--help) usage ;;
    --) shift; break ;;
    *) break ;;
  esac
done

_KIND_SET=""
if [[ $# -gt 0 ]]; then
  KIND="$1"
  _KIND_SET=true
  shift
else
  KIND=""
fi
_TOOL_SET=""
if [[ $# -gt 0 ]]; then
  TOOL="$1"
  _TOOL_SET=true
  shift
else
  TOOL=""
fi
_BODY_SET=""
if [[ $# -gt 0 ]]; then
  BODY="$1"
  _BODY_SET=true
  shift
else
  BODY=""
fi
if [[ $# -gt 0 ]]; then
  echo "error: nerf-report: unexpected extra arguments: $*" >&2
  echo "  hint: switches and options must come before positional arguments" >&2
  exit 1
fi

if [[ -n "${_KIND_SET}" ]] && [[ "${KIND}" == -* ]]; then
  echo "error: nerf-report: <kind> cannot start with '-'" >&2
  echo "  hint: use -- before positional arguments if needed" >&2
  exit 1
fi

if [[ -z "${KIND}" ]]; then
  echo "error: nerf-report: missing required argument <kind>" >&2
  echo "  hint: provide a value for <kind>" >&2
  usage
fi

if [[ -n "${_KIND_SET}" ]] && [[ "${KIND}" != "bug" && "${KIND}" != "bypass" && "${KIND}" != "complaint" && "${KIND}" != "request" ]]; then
  echo "error: nerf-report: argument <kind> is not an allowed value" >&2
  echo "  value:   \"${KIND}\"" >&2
  echo "  allowed: bug, bypass, complaint, request" >&2
  echo "  hint: use one of the allowed values" >&2
  exit 1
fi

if [[ -n "${_TOOL_SET}" ]] && [[ "${TOOL}" == -* ]]; then
  echo "error: nerf-report: <tool> cannot start with '-'" >&2
  echo "  hint: use -- before positional arguments if needed" >&2
  exit 1
fi

if [[ -z "${TOOL}" ]]; then
  echo "error: nerf-report: missing required argument <tool>" >&2
  echo "  hint: provide a value for <tool>" >&2
  usage
fi

if [[ -n "${_BODY_SET}" ]] && [[ "${BODY}" == -* ]]; then
  echo "error: nerf-report: <body> cannot start with '-'" >&2
  echo "  hint: use -- before positional arguments if needed" >&2
  exit 1
fi

if [[ -z "${BODY}" ]]; then
  echo "error: nerf-report: missing required argument <body>" >&2
  echo "  hint: provide a value for <body>" >&2
  usage
fi

if [[ "$_NERF_DRY_RUN" == "true" ]]; then
  echo "dry-run: nerf-report would run inline script"
  exit 0
fi

: "${HOME:?nerf-report: HOME is not set; cannot determine reports directory}"
: "${NERFTOOLS_BRAND:?nerf-report: NERFTOOLS_BRAND is unset; the builder should stamp this -- empty would silently write to a different reports queue}"

REPORTS_DIR="${HOME}/.nerftools/${NERFTOOLS_BRAND}/reports"
umask 077
mkdir -p "$REPORTS_DIR"
if ! chmod 0700 "$REPORTS_DIR"; then
    echo "error: nerf-report: could not restrict permissions on ${REPORTS_DIR}; refusing to write report" >&2
    exit 1
fi

# Derive the current plugin version from plugin.json (preferred), with a
# safe fallback if the file isn't readable.
NERFTOOLS_VERSION="unknown"
if [[ -n "${CLAUDE_PLUGIN_ROOT:-}" && -f "${CLAUDE_PLUGIN_ROOT}/.claude-plugin/plugin.json" ]] \
   && command -v jq > /dev/null 2>&1; then
    _v=$(jq -r '.version // "unknown"' "${CLAUDE_PLUGIN_ROOT}/.claude-plugin/plugin.json" 2>/dev/null) || _v="unknown"
    [[ -n "$_v" ]] && NERFTOOLS_VERSION="$_v"
fi

TIMESTAMP_COMPACT="$(date -u +%Y%m%dT%H%M%SZ)"
TIMESTAMP_ISO="$(date -u +%Y-%m-%dT%H:%M:%SZ)"
SESSION="${NERF_REPORT_SESSION:-${CLAUDE_SESSION_ID:-${CODEX_SESSION_ID:-unknown}}}"
CWD="$(pwd)"

SANITIZED_TOOL="${TOOL//[^A-Za-z0-9._-]/_}"
if [[ -z "$SANITIZED_TOOL" ]]; then
    echo "error: nerf-report: <tool> is empty after sanitization" >&2
    exit 1
fi

FILENAME="${TIMESTAMP_COMPACT}_${KIND}_${SANITIZED_TOOL}_${NERFTOOLS_VERSION}.md"
DEST="${REPORTS_DIR}/${FILENAME}"

_yaml_escape() {
    local s="$1"
    s="${s//\\/\\\\}"
    s="${s//\"/\\\"}"
    s="${s//$'\n'/\\n}"
    s="${s//$'\r'/\\r}"
    s="${s//$'\t'/\\t}"
    printf '%s' "$s"
}

# Belt-and-suspenders: the dir is 0700 (set above) so an
# adversary couldn't plant a symlink, but if DEST somehow exists
# as a symlink (TOCTOU race, leftover from older umask, etc.)
# refuse to write through it rather than potentially clobbering
# whatever it points at.
if [[ -L "$DEST" ]]; then
    echo "error: nerf-report: refusing to write through existing symlink at ${DEST}" >&2
    exit 1
fi

{
    printf -- '---\n'
    printf 'kind: %s\n' "$KIND"
    printf 'tool: "%s"\n' "$(_yaml_escape "$TOOL")"
    printf 'nerftools_brand: "%s"\n' "$(_yaml_escape "$NERFTOOLS_BRAND")"
    printf 'nerftools_version: "%s"\n' "$(_yaml_escape "$NERFTOOLS_VERSION")"
    printf 'session: "%s"\n' "$(_yaml_escape "$SESSION")"
    printf 'cwd: "%s"\n' "$(_yaml_escape "$CWD")"
    printf 'timestamp: "%s"\n' "$TIMESTAMP_ISO"
    printf -- '---\n\n'
    printf '%s\n' "$BODY"
} >> "$DEST"

echo "report written: $DEST"
