#!/usr/bin/env sh
set -eu

worker_host="${LEXPRIVE_HERMES_WORKER_HOST:?LEXPRIVE_HERMES_WORKER_HOST is required}"
worker_user="${LEXPRIVE_HERMES_WORKER_USER:-root}"
worker_key="${LEXPRIVE_WORKER_SSH_KEY:-/var/lib/lexprive-ai-company/ssh/paperclip_worker_ed25519}"
remote_cwd="${LEXPRIVE_REMOTE_CWD:-${PWD:-/opt/lexprive}}"
remote_hermes="${LEXPRIVE_REMOTE_HERMES_COMMAND:-/var/lib/lexprive-ai-company/hermes/venv/bin/hermes}"
if [ -n "${LEXPRIVE_REMOTE_PAPERCLIP_PORT:-}" ]; then
  remote_paperclip_port="$LEXPRIVE_REMOTE_PAPERCLIP_PORT"
else
  remote_paperclip_port="$((43000 + ($$ % 10000)))"
fi
local_paperclip_port="${LEXPRIVE_LOCAL_PAPERCLIP_PORT:-3100}"
if [ -n "${LEXPRIVE_REMOTE_PAPERCLIP_DB_PORT:-}" ]; then
  remote_paperclip_db_port="$LEXPRIVE_REMOTE_PAPERCLIP_DB_PORT"
else
  remote_paperclip_db_port="$((remote_paperclip_port + 1))"
fi
local_paperclip_db_port="${LEXPRIVE_LOCAL_PAPERCLIP_DB_PORT:-54329}"

quote() {
  printf "%s" "$1" | sed "s/'/'\\\\''/g;1s/^/'/;\$s/\$/'/"
}

sync_prompt_dir() {
  local_dir="$1"
  if [ ! -d "$local_dir" ]; then
    return 0
  fi
  ssh \
    -i "$worker_key" \
    -o BatchMode=yes \
    -o StrictHostKeyChecking=accept-new \
    "${worker_user}@${worker_host}" \
    "mkdir -p $(quote "$local_dir")"
  if command -v rsync >/dev/null 2>&1; then
    rsync -az \
      -e "ssh -i $(quote "$worker_key") -o BatchMode=yes -o StrictHostKeyChecking=accept-new" \
      "${local_dir}/" \
      "${worker_user}@${worker_host}:${local_dir}/"
  else
    tar -C "$local_dir" -cf - . | ssh \
      -i "$worker_key" \
      -o BatchMode=yes \
      -o StrictHostKeyChecking=accept-new \
      "${worker_user}@${worker_host}" \
      "tar -C $(quote "$local_dir") -xf -"
  fi
}

append_env() {
  name="$1"
  value="${2:-}"
  if [ -n "$value" ]; then
    remote_env="${remote_env} ${name}=$(quote "$value")"
  fi
}

remote_env=""
# Do not blindly forward Paperclip's local HOME/HERMES_HOME to the remote worker.
# If the adapter provided a known remote Hermes profile path, use it so plain
# remote Hermes commands can find their auth and config. Profile wrappers such
# as hermes-high can still override this by omitting HERMES_HOME or setting the
# explicit LEXPRIVE_REMOTE_* variables.
remote_hermes_home="${LEXPRIVE_REMOTE_HERMES_HOME:-}"
if [ -z "$remote_hermes_home" ]; then
  case "${HERMES_HOME:-}" in
    /var/lib/lexprive-ai-company/*|/var/lib/paperclip-ai-company/*)
      remote_hermes_home="$HERMES_HOME"
      ;;
  esac
fi
append_env HOME "${LEXPRIVE_REMOTE_HOME:-$remote_hermes_home}"
append_env HERMES_HOME "$remote_hermes_home"
append_env HERMES_MEMORY_DIR "${HERMES_MEMORY_DIR:-}"
append_env HERMES_MODEL "${HERMES_MODEL:-}"
append_env HERMES_REASONING_EFFORT "${HERMES_REASONING_EFFORT:-}"
append_env PAPERCLIP_API_URL "http://127.0.0.1:${remote_paperclip_port}/api"
append_env PAPERCLIP_API_KEY "${PAPERCLIP_API_KEY:-}"
# Always expose the Paperclip DB through the SSH reverse tunnel from the
# worker's point of view. Worker-local .env files may contain a Paperclip-host
# URL such as 127.0.0.1:54329; forwarding that value would point at the worker
# itself and break native Paperclip cost sync. Operators can still override the
# exact remote URL with LEXPRIVE_REMOTE_PAPERCLIP_DB_URL when needed.
paperclip_db_url="${LEXPRIVE_REMOTE_PAPERCLIP_DB_URL:-postgres://paperclip:paperclip@127.0.0.1:${remote_paperclip_db_port}/paperclip}"
append_env PAPERCLIP_DB_URL "$paperclip_db_url"
append_env PAPERCLIP_DATABASE_URL "$paperclip_db_url"
append_env PAPERCLIP_RUN_ID "${PAPERCLIP_RUN_ID:-}"
append_env PAPERCLIP_AGENT_ID "${PAPERCLIP_AGENT_ID:-}"
append_env LEXPRIVE_OPS_TOOL "${LEXPRIVE_OPS_TOOL:-}"
append_env LEXPRIVE_PRODUCT_REPO_PATH "${LEXPRIVE_PRODUCT_REPO_PATH:-}"
append_env LEXPRIVE_GITHUB_REPOSITORY "${LEXPRIVE_GITHUB_REPOSITORY:-}"
append_env LEXPRIVE_GITHUB_REMOTE "${LEXPRIVE_GITHUB_REMOTE:-}"
append_env LEXPRIVE_GITHUB_DEPLOY_KEY "${LEXPRIVE_GITHUB_DEPLOY_KEY:-}"
append_env LEXPRIVE_GITHUB_PR_TOKEN "${LEXPRIVE_GITHUB_PR_TOKEN:-}"
git_ssh_command="${GIT_SSH_COMMAND:-}"
if [ -z "$git_ssh_command" ] && [ -n "${LEXPRIVE_GITHUB_DEPLOY_KEY:-}" ]; then
  git_ssh_command="ssh -i ${LEXPRIVE_GITHUB_DEPLOY_KEY} -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new"
fi
append_env GIT_SSH_COMMAND "$git_ssh_command"
append_env GIT_AUTHOR_NAME "${GIT_AUTHOR_NAME:-}"
append_env GIT_AUTHOR_EMAIL "${GIT_AUTHOR_EMAIL:-}"

remote_args=""
for arg in "$@"; do
  remote_args="${remote_args} $(quote "$arg")"
done

sync_prompt_dir "/var/lib/paperclip-ai-company/hermes/prompts"
sync_prompt_dir "/var/lib/lexprive-ai-company/hermes/lexprive-prompts"

remote_script="cd $(quote "$remote_cwd") && exec env${remote_env} $(quote "$remote_hermes")${remote_args}"

exec ssh \
  -i "$worker_key" \
  -o BatchMode=yes \
  -o StrictHostKeyChecking=accept-new \
  -o ExitOnForwardFailure=yes \
  -R "127.0.0.1:${remote_paperclip_port}:127.0.0.1:${local_paperclip_port}" \
  -R "127.0.0.1:${remote_paperclip_db_port}:127.0.0.1:${local_paperclip_db_port}" \
  "${worker_user}@${worker_host}" \
  "$remote_script"
