#!/usr/bin/env bash

# SPDX-FileCopyrightText: 2026 Jiri Vyskocil
# SPDX-FileCopyrightText: 2026 Andreas Knüpfer
# SPDX-License-Identifier: Apache-2.0
# terok:container — this file is deployed into task containers, not used on the host.

# terok container help banner. Called on login as:
#   _TEROK_LOGIN=1 hilfe --kurz
# and available as the `hilfe` command for quick reference.

set -euo pipefail

_mode="${1:-}"
case "$_mode" in
    ""|--kurz) ;;
    *)
        printf 'Usage: hilfe [--kurz]\n' >&2
        exit 2
        ;;
esac

_terok_permission_mode() {
    if [[ "${TEROK_UNRESTRICTED:-}" == "1" ]]; then
        printf '\n\033[1mPermission mode:\033[0m \033[32munrestricted\033[0m\n'
    else
        printf '\n\033[1mPermission mode:\033[0m \033[33mrestricted\033[0m (vendor defaults)\n'
    fi
}

_terok_help_dir=/usr/local/share/terok/help.d

# Each section's contents are pre-rendered at L1 build time from the
# roster YAML's `help:` blurbs (see terok_executor/container/build.py
# stage_help_fragments).  Empty sections produce no file → silently skipped.
_terok_section() {
    local title="$1" file="$2"
    [ -s "${_terok_help_dir}/${file}" ] || return 0
    printf '\n\033[1m%s\033[0m\n' "$title"
    cat "${_terok_help_dir}/${file}"
}

_terok_executors() { _terok_section 'Available AI agents:' agents.txt; }
_terok_dev_tools() { _terok_section 'Dev tools:'           dev-tools.txt; }

# Agents (the CLI tools above) and providers (LLM endpoints) are independent
# axes.  The authenticated providers the vault routes for this container come
# from the materialized phantom-token env vars (one per provider).
_terok_providers() {
    local _list
    _list=$(printenv \
        | sed -n 's/^TEROK_PROVIDER_\(.*\)_TOKEN=.*/\1/p' \
        | tr '[:upper:]' '[:lower:]' | sort -u)
    [ -n "$_list" ] || return 0
    # Providers in magenta (distinct from the cyan agent/tool commands), joined
    # with plain commas so the line reads as a sentence.
    printf '\n\033[1mProviders (LLM endpoints):\033[0m '
    local _first=1 _p
    for _p in $_list; do
        [ "$_first" -eq 1 ] || printf ', '
        printf '\033[35m%s\033[0m' "$_p"
        _first=0
    done
    printf '\n'
    printf '  Point any agent at a provider it speaks to: \033[36m<agent> --provider <name>\033[0m\n'
    printf '  (e.g. \033[36mopencode --provider openrouter\033[0m).  \033[36mopencode\033[0m reaches any of them;\n'
    printf '  native CLIs default to their own.  Ready pairs: \033[36mproviders\033[0m\n'
    [ -n "${TEROK_PROVIDER:-}" ] && \
        printf "  This task's default provider: \033[35m%s\033[0m\n" "$TEROK_PROVIDER"
    return 0
}

_terok_notes() {
    printf '\n\033[1mterok container notes:\033[0m\n'
    printf '  - \033[36m/workspace\033[0m  main project git checkout for this task\n'
    printf '  - \033[36m/home/dev\033[0m  home dir; several config dirs here are mounted from the host\n'
    printf '                 (.claude, .codex, gh/glab, opencode, optional .ssh)\n'
    printf '  - agent CLI commands above are terok wrappers with git/session defaults\n'
    printf '  - \033[36msudo update-all-the-things\033[0m updates system packages and agent installs\n'
    printf '    in this running container only\n'
    printf '  - host/TUI: \033[36mRebuild from L1 with fresh agents\033[0m / \033[36mterok build --refresh-agents <project>\033[0m\n'
    printf '    refreshes agent installs for new containers only\n'
    printf '  - host/TUI: \033[36mRebuild from L0 (no cache)\033[0m / \033[36mterok build --full-rebuild <project>\033[0m\n'
    printf '    refreshes the base image + apt packages for new containers only\n'
    printf '  - tmux inside the container uses \033[36m^a\033[0m; host tmux usually uses \033[36m^b\033[0m\n'
    printf '  - the container is disposable; \033[36msudo\033[0m works without a password\n'
}

_terok_permission_mode
_terok_executors
_terok_providers
_terok_dev_tools

if [[ "$_mode" == "--kurz" ]]; then
    printf '\nRun \033[1mhilfe\033[0m for more container tips.\n\n'
    exit 0
fi

_terok_notes
printf '\n'
