#!/usr/bin/env bash
# (Re)write the dolibarr-sandbox-write skill .env from the provisioned key file,
# then verify it authenticates. Run this after 'provision' (or any time the key
# changed). The key is instance-encrypted per Dolibarr instance, so a refresh
# invalidates it — re-provision first if this fails to authenticate.
set -euo pipefail
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
ROOT="${ARCO_ROOT:-$(cd "${SCRIPT_DIR}/../../../.." && pwd)}"
SB_URL="${DOLIBARR_SANDBOX_URL:-https://erp-sandbox.arcodange.lab}"
KEY="${ROOT}/test/.ai_agent_sandbox.key"
ENV="${ROOT}/.claude/skills/dolibarr-sandbox-write/.env"
DOLW="${ROOT}/.claude/skills/dolibarr-sandbox-write/scripts/dol-write.sh"

[[ -s "${KEY}" ]] || { echo "checkpoint-relink-env: no key at ${KEY}" >&2
  echo "  run 'arcodange sandbox checkpoint provision' first." >&2; exit 1; }

umask 077
{ echo "DOLIBARR_SANDBOX_URL=${SB_URL}"
  printf 'DOLIBARR_SANDBOX_API_KEY=%s\n' "$(tr -d '\r\n' < "${KEY}")"; } > "${ENV}"
chmod 600 "${ENV}"
echo "✓ wrote ${ENV} (mode 600)"

printf 'verify: '
"${DOLW}" GET /users/info | python3 -c "import json,sys
d = json.load(sys.stdin)
if isinstance(d, dict) and d.get('login'):
    print('OK — armed as %s (id %s)' % (d['login'], d.get('id')))
else:
    msg = d.get('error', {}).get('message', '?') if isinstance(d, dict) else str(d)
    print('FAILED — %s' % msg); sys.exit(1)"