#!/usr/bin/env bash
set -euo pipefail

usage() {
  cat <<'EOF'
Usage: rotate-policy-cli-secret.sh [--output <path>] [--dry-run]

Generates a new random shared secret suitable for the Authority
`policy-cli` client and optionally writes it to the target file
in `etc/secrets/` with the standard header comment.

Options:
  --output <path>  Destination file (default: etc/secrets/policy-cli.secret)
  --dry-run        Print the generated secret to stdout without writing.
  -h, --help       Show this help.
EOF
}

OUTPUT="etc/secrets/policy-cli.secret"
DRY_RUN=0

while [[ $# -gt 0 ]]; do
  case "$1" in
    --output)
      OUTPUT="$2"
      shift 2
      ;;
    --dry-run)
      DRY_RUN=1
      shift
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "Unknown argument: $1" >&2
      usage >&2
      exit 1
      ;;
  esac
done

if ! command -v openssl >/dev/null 2>&1; then
  echo "openssl is required to generate secrets" >&2
  exit 1
fi

# Generate a 48-byte random secret, base64 encoded without padding.
RAW_SECRET=$(openssl rand -base64 48 | tr -d '\n=')
SECRET="policy-cli-${RAW_SECRET}"

if [[ "$DRY_RUN" -eq 1 ]]; then
  echo "$SECRET"
  exit 0
fi

cat <<EOF > "$OUTPUT"
# generated $(date -u +%Y-%m-%dT%H:%M:%SZ) via scripts/rotate-policy-cli-secret.sh
$SECRET
EOF

echo "Wrote new policy-cli secret to $OUTPUT"