#!/bin/sh
# Squadem Enterprise Self-Hosted Installer
#
# NOTE: Self-hosted / air-gapped deployment requires an Enterprise license.
# Free and Pro tiers are cloud-hosted only. Contact sales@squadem.com for
# Enterprise pricing, or visit https://squadem.com/pricing
#
# Two components ship from the same release; pick what this host should run:
#
#   • core      — Squadem control plane (dashboard, AI proxy, plugin
#                 manager, in-process Agent IDE / GPU manager). This is
#                 what you install on the box that operators log into.
#
#   • gpu-agent — Headless companion that turns a remote NVIDIA / Apple
#                 Silicon machine into a GPU node for an existing core.
#                 No dashboard, no license prompt — it joins your core
#                 with a registration token.
#
# Selection order: --component=<name> flag → SQUADEM_COMPONENT env →
# interactive prompt → defaults to "core".
#
# Examples:
#   # Core, native binary (interactive license prompt)
#   curl -fsSL https://get.squadem.com/install.sh | sh
#
#   # Core, with license key (scripted / CI)
#   curl -fsSL https://get.squadem.com/install.sh | \
#     SQUADEM_LICENSE_KEY=SQD-XXXX-XXXX-XXXX sh
#
#   # Core, dockerized
#   curl -fsSL https://get.squadem.com/install.sh | \
#     SQUADEM_LICENSE_KEY=SQD-XXXX-XXXX-XXXX sh -s -- --mode=docker
#
#   # GPU agent on a remote box (interactive prompts)
#   curl -fsSL https://get.squadem.com/install.sh | \
#     SQUADEM_LICENSE_KEY=SQD-XXXX-XXXX-XXXX sh -s -- --gpu-agent
#
#   # GPU agent, fully scripted (no prompts)
#   curl -fsSL https://get.squadem.com/install.sh | \
#     SQUADEM_LICENSE_KEY=SQD-XXXX-XXXX-XXXX \
#     SQUADEM_CENTRAL_URL=http://core.lan:8081 \
#     SQUADEM_AGENT_TOKEN=sqd-... sh -s -- --gpu-agent
#
# Plugins (RAG, meetings, training, automation, SSO, adapters) ship as
# containers but are managed by core. After install, open the dashboard
# → Plugins, or run: squadem compose extract && docker compose --profile rag up -d
#
# Override knobs (env vars):
#   SQUADEM_COMPONENT       core | gpu-agent (default: prompt, then core)
#   SQUADEM_VERSION         release tag to pin (default: latest)
#   SQUADEM_DIR             install dir (default: ~/.squadem)
#   SQUADEM_LICENSE_KEY     core only — Enterprise license key (self-hosted requires Enterprise)
#   SQUADEM_CENTRAL_URL     gpu-agent only — URL of the core (e.g. http://core:8081)
#   SQUADEM_AGENT_TOKEN     gpu-agent only — registration token from core dashboard
#   SQUADEM_AGENT_PORT      gpu-agent only — listening port (default: 9400)
#   (Binaries are fetched via signed S3 URLs after license validation)
#   SQUADEM_DOCKER_IMAGE    core+docker only — image (default squadem/squadem-core:<version>)
#   SQUADEM_MODE            core only — binary | docker (default: binary)

set -e

SQUADEM_VERSION="${SQUADEM_VERSION:-latest}"
SQUADEM_DIR="${SQUADEM_DIR:-$HOME/.squadem}"
SQUADEM_DOCKER_IMAGE="${SQUADEM_DOCKER_IMAGE:-squadem/squadem-core:${SQUADEM_VERSION}}"
LICENSE_API="https://squadem.com/api/license"

# License key is required for self-hosted/Enterprise downloads
SQUADEM_LICENSE_KEY="${SQUADEM_LICENSE_KEY:-}"

COMPONENT="${SQUADEM_COMPONENT:-}"
MODE="${SQUADEM_MODE:-binary}"
for arg in "$@"; do
  case "$arg" in
    --component=core|--core)              COMPONENT="core" ;;
    --component=gpu-agent|--gpu-agent)    COMPONENT="gpu-agent" ;;
    --mode=binary|--binary)               MODE="binary" ;;
    --mode=docker|--docker)               MODE="docker" ;;
    -h|--help)
      # Dump the leading comment block. Stop at the first non-comment
      # line so the help text auto-grows when we extend the header.
      awk 'NR==1{next} /^[^#]/{exit} {sub(/^# ?/,""); print}' "$0"
      exit 0
      ;;
  esac
done

# ── Pretty output ──
# We resolve the ESC byte once via printf so the color vars hold a
# real 0x1B character, not the literal four-byte string "\033". This
# makes `cat <<BANNER`, `echo`, and `printf` all render colors
# correctly under any POSIX /bin/sh — including dash and macOS bash
# in POSIX mode where `echo` does not interpret backslash escapes.
ESC=$(printf '\033')
RED="${ESC}[0;31m"
GREEN="${ESC}[0;32m"
YELLOW="${ESC}[1;33m"
CYAN="${ESC}[0;36m"
BOLD="${ESC}[1m"
NC="${ESC}[0m"
info()  { printf "%s[squadem]%s %s\n" "$GREEN"  "$NC" "$1"; }
warn()  { printf "%s[squadem]%s %s\n" "$YELLOW" "$NC" "$1"; }
error() { printf "%s[squadem]%s %s\n" "$RED"    "$NC" "$1" >&2; exit 1; }

# ── License-gated download URLs ────────────────────────────────────
# Self-hosted installations require an Enterprise license. We call the
# license server to validate the key and get signed download URLs.
# This ensures binaries are not publicly accessible.
DOWNLOAD_URLS_JSON=""

fetch_download_urls() {
  local component="$1"
  local platform="$2"

  if [ -z "$SQUADEM_LICENSE_KEY" ]; then
    if [ -r /dev/tty ]; then
      echo ""
      echo "  ${BOLD}Self-hosted installation requires an Enterprise license.${NC}"
      echo "  Enter your license key (or get one at https://squadem.com/pricing)"
      echo ""
      printf "  License key: "
      read -r SQUADEM_LICENSE_KEY < /dev/tty || SQUADEM_LICENSE_KEY=""
      echo ""
    fi
    if [ -z "$SQUADEM_LICENSE_KEY" ]; then
      error "License key required. Set SQUADEM_LICENSE_KEY or use cloud-hosted version."
    fi
  fi

  info "Validating license and fetching download URLs..."

  local payload
  payload=$(cat <<EOF
{"license_key":"$SQUADEM_LICENSE_KEY","version":"$SQUADEM_VERSION","platform":"$platform","component":"$component"}
EOF
)

  local response
  if command -v curl >/dev/null 2>&1; then
    response=$(curl -fsSL -X POST \
      -H "Content-Type: application/json" \
      -d "$payload" \
      "${LICENSE_API}/download-urls" 2>&1) || {
      # Try to extract error message from response
      if echo "$response" | grep -q '"error"'; then
        local err_msg
        err_msg=$(echo "$response" | sed 's/.*"error":"\([^"]*\)".*/\1/')
        error "License validation failed: $err_msg"
      else
        error "Failed to contact license server. Check your internet connection."
      fi
    }
  elif command -v wget >/dev/null 2>&1; then
    response=$(wget -qO- --post-data="$payload" \
      --header="Content-Type: application/json" \
      "${LICENSE_API}/download-urls" 2>&1) || {
      error "Failed to contact license server. Check your internet connection."
    }
  else
    error "curl or wget is required"
  fi

  # Check for error in response
  if echo "$response" | grep -q '"error"'; then
    local err_msg
    err_msg=$(echo "$response" | sed 's/.*"error":"\([^"]*\)".*/\1/')
    error "License validation failed: $err_msg"
  fi

  DOWNLOAD_URLS_JSON="$response"
  info "License validated - download URLs obtained"
}

# Extract URL from JSON response (simple grep-based parsing for POSIX sh)
get_download_url() {
  local filename="$1"
  echo "$DOWNLOAD_URLS_JSON" | grep -o "\"$filename\":\"[^\"]*\"" | sed 's/.*:"\([^"]*\)"/\1/'
}

cat <<BANNER

${CYAN}${BOLD}  ███████╗ ██████╗ ██╗   ██╗ █████╗ ██████╗ ███████╗███╗   ███╗
  ██╔════╝██╔═══██╗██║   ██║██╔══██╗██╔══██╗██╔════╝████╗ ████║
  ███████╗██║   ██║██║   ██║███████║██║  ██║█████╗  ██╔████╔██║
  ╚════██║██║▄▄ ██║██║   ██║██╔══██║██║  ██║██╔══╝  ██║╚██╔╝██║
  ███████║╚██████╔╝╚██████╔╝██║  ██║██████╔╝███████╗██║ ╚═╝ ██║
  ╚══════╝ ╚══▀▀═╝  ╚═════╝ ╚═╝  ╚═╝╚═════╝ ╚══════╝╚═╝     ╚═╝${NC}

BANNER

# ── Detect OS / arch ──────────────────────────────────────────────
OS="$(uname -s)"
ARCH="$(uname -m)"
case "$OS" in
  Darwin) BIN_OS="darwin" ;;
  Linux)  BIN_OS="linux"  ;;
  *)      error "Unsupported OS: $OS (Squadem supports macOS and Linux)" ;;
esac
case "$ARCH" in
  x86_64|amd64)  ARCH_NAME="amd64" ;;
  arm64|aarch64) ARCH_NAME="arm64" ;;
  *)             error "Unsupported architecture: $ARCH" ;;
esac

# ── Component selection ───────────────────────────────────────────
# We ask up-front because the rest of the script (license validation,
# binary URL, service unit, post-install message) all branches off this
# choice. When piped from `curl … | sh` we still get an interactive
# prompt by reading directly from /dev/tty (same trick used for the
# license key below). If /dev/tty is unavailable we silently fall back
# to "core" — that's the 99% case for unattended provisioning runs.
if [ -z "$COMPONENT" ]; then
  if [ -r /dev/tty ]; then
    echo ""
    echo "  ${BOLD}Which Squadem component would you like to install?${NC}"
    echo "    1) core       — control plane: dashboard, AI proxy, plugins, agent IDE"
    echo "    2) gpu-agent  — remote GPU node that joins an existing core"
    echo ""
    printf "  Selection [1]: "
    _ans=""
    read -r _ans < /dev/tty || _ans=""
    case "$_ans" in
      2|gpu-agent|gpu) COMPONENT="gpu-agent" ;;
      *)              COMPONENT="core" ;;
    esac
    echo ""
  else
    COMPONENT="core"
  fi
fi
case "$COMPONENT" in
  core|gpu-agent) ;;
  *) error "Unknown --component=${COMPONENT} (use core or gpu-agent)" ;;
esac
# `--mode=docker` only ships for core. Silently coerce gpu-agent back
# to native binary so a user passing both flags doesn't get a confusing
# "image not found" later.
if [ "$COMPONENT" = "gpu-agent" ] && [ "$MODE" = "docker" ]; then
  warn "Docker mode is not supported for gpu-agent — falling back to native binary"
  MODE="binary"
fi

if [ "$COMPONENT" = "core" ]; then
  info "Platform: ${BIN_OS}/${ARCH_NAME}   Component: ${BOLD}core${NC}   Mode: ${BOLD}${MODE}${NC}"
else
  info "Platform: ${BIN_OS}/${ARCH_NAME}   Component: ${BOLD}gpu-agent${NC}"
fi

# ──────────────────────────────────────────────────────────────────
# CORE PATH — license, .env, control-plane install
# ──────────────────────────────────────────────────────────────────
if [ "$COMPONENT" = "core" ]; then

# ── License key ───────────────────────────────────────────────────
ENV_FILE="$SQUADEM_DIR/.env"
SQUADEM_LICENSE_KEY="${SQUADEM_LICENSE_KEY:-}"
if [ -z "$SQUADEM_LICENSE_KEY" ] && [ -f "$ENV_FILE" ]; then
  SQUADEM_LICENSE_KEY=$(grep -E '^SQUADEM_LICENSE_KEY=' "$ENV_FILE" 2>/dev/null | cut -d'=' -f2- | tr -d '"' || true)
fi
if [ -z "$SQUADEM_LICENSE_KEY" ]; then
  echo ""
  echo "  ${BOLD}An Enterprise license key is required.${NC}"
  echo "  Self-hosted deployment is available for Enterprise customers only."
  echo "  Contact sales: ${BOLD}https://squadem.com/pricing${NC}"
  echo ""
  printf "  Enterprise license key: "
  read -r SQUADEM_LICENSE_KEY < /dev/tty
  echo ""
fi
[ -z "$SQUADEM_LICENSE_KEY" ] && error "No license key provided"

info "Validating license..."
AUTH_RESPONSE=$(curl -sf -X POST "${LICENSE_API}/install/auth" \
  -H "Content-Type: application/json" \
  -d "{\"key\":\"${SQUADEM_LICENSE_KEY}\"}" 2>&1) || \
    error "License validation failed (offline or invalid key). Contact sales at https://squadem.com/pricing"
echo "$AUTH_RESPONSE" | grep -q '"success":\s*true' || \
  error "License validation failed: $(echo "$AUTH_RESPONSE" | grep -o '"error":"[^"]*"' | cut -d'"' -f4)"
LICENSE_TIER=$(echo "$AUTH_RESPONSE" | grep -o '"tier":"[^"]*"' | cut -d'"' -f4 || echo "unknown")

# Self-hosted deployment requires Enterprise license
if [ "$LICENSE_TIER" != "enterprise" ]; then
  error "Self-hosted deployment requires an Enterprise license. Your license is '${LICENSE_TIER}'. Contact sales at https://squadem.com/pricing to upgrade."
fi

info "License valid (${LICENSE_TIER} plan)"

# ── Layout + minimal .env ─────────────────────────────────────────
DATA_DIR="${SQUADEM_DATA_DIR:-$SQUADEM_DIR/data}"
mkdir -p "$SQUADEM_DIR" "$DATA_DIR"

# Single-source-of-truth .env. The binary fills in everything else
# (passwords, plugin URLs, host hints) at first boot or via the
# dashboard's Settings page — install.sh stays thin on purpose.
if [ ! -f "$ENV_FILE" ]; then
  cat > "$ENV_FILE" <<ENVEOF
# Squadem Configuration (auto-generated by install.sh)
SQUADEM_VERSION=${SQUADEM_VERSION}
SQUADEM_LICENSE_KEY=${SQUADEM_LICENSE_KEY}
SQUADEM_DATA_DIR=${DATA_DIR}
SQUADEM_AUTH_MODE=local
ENVEOF
  info "Wrote ${ENV_FILE}"
else
  if grep -q '^SQUADEM_LICENSE_KEY=' "$ENV_FILE" 2>/dev/null; then
    sed -i.bak "s|^SQUADEM_LICENSE_KEY=.*|SQUADEM_LICENSE_KEY=${SQUADEM_LICENSE_KEY}|" "$ENV_FILE" && rm -f "${ENV_FILE}.bak"
  else
    echo "SQUADEM_LICENSE_KEY=${SQUADEM_LICENSE_KEY}" >> "$ENV_FILE"
  fi
  # Upgrade hygiene: pre-binary installs hard-coded plugin URLs to old
  # docker-compose service hostnames (agent-registry, agent-sandbox,
  # gpu-agent). Those services no longer exist — they run in-process
  # inside the binary. Clearing the URLs here makes the binary fall
  # back to its built-in localhost endpoints.
  for _stale in AGENT_IDE_REGISTRY_URL AGENT_SANDBOX_URL GPU_AGENT_URL ROUTER_SERVICE_URL DATA_QUALITY_SERVICE_URL; do
    if grep -qE "^${_stale}=https?://(agent-registry|agent-sandbox|gpu-agent|router-service|data-quality-service)" "$ENV_FILE" 2>/dev/null; then
      sed -i.bak "s|^${_stale}=.*|${_stale}=|" "$ENV_FILE" && rm -f "${ENV_FILE}.bak"
      info "Cleared stale ${_stale} (now in-process)"
    fi
  done
  info "Refreshed license in ${ENV_FILE}"
fi

# ══════════════════════════════════════════════════════════════════
# OPTION 1 — Native binary
# ══════════════════════════════════════════════════════════════════
if [ "$MODE" = "binary" ]; then
  BIN_DIR="$SQUADEM_DIR/bin"
  BIN_PATH="$BIN_DIR/squadem"
  mkdir -p "$BIN_DIR"

  # Fetch signed download URLs from license server
  PLATFORM="${BIN_OS}-${ARCH_NAME}"
  fetch_download_urls "core" "$PLATFORM"

  # Extract URLs from response
  BIN_FILE="squadem-${PLATFORM}"
  BIN_URL=$(get_download_url "$BIN_FILE")
  if [ -z "$BIN_URL" ]; then
    error "Failed to get download URL for $BIN_FILE"
  fi

  # Stop existing service before downloading (binary may be locked)
  STOPPED_SERVICE=""
  if [ "$OS" = "Linux" ] && systemctl --user is-active squadem.service >/dev/null 2>&1; then
    info "Stopping existing Squadem service for upgrade..."
    systemctl --user stop squadem.service 2>/dev/null || true
    STOPPED_SERVICE="systemd"
  elif [ "$OS" = "Darwin" ]; then
    PLIST_PATH="$HOME/Library/LaunchAgents/com.squadem.core.plist"
    if launchctl list | grep -q com.squadem.core 2>/dev/null; then
      info "Stopping existing Squadem service for upgrade..."
      launchctl unload "$PLIST_PATH" 2>/dev/null || true
      STOPPED_SERVICE="launchd"
    fi
  fi

  # Kill any stray squadem processes not managed by the service
  if pgrep -x squadem >/dev/null 2>&1; then
    info "Killing existing squadem processes..."
    pkill -x squadem 2>/dev/null || true
    sleep 1
    # Force kill if still running
    pkill -9 -x squadem 2>/dev/null || true
  fi

  # Download to a temp file first, then move (handles locked binary edge case)
  BIN_TMP="${BIN_PATH}.new"
  info "Downloading squadem ${SQUADEM_VERSION}..."
  if command -v curl >/dev/null 2>&1; then
    curl -fL --progress-bar "$BIN_URL" -o "$BIN_TMP" || error "Download failed"
  elif command -v wget >/dev/null 2>&1; then
    wget -q --show-progress "$BIN_URL" -O "$BIN_TMP" || error "Download failed"
  else
    error "curl or wget is required"
  fi
  mv -f "$BIN_TMP" "$BIN_PATH"

  # ── Verify checksum ────────────────────────────────────────────
  # SHA256SUMS is included in the signed download URLs
  SUMS_URL=$(get_download_url "SHA256SUMS")
  if command -v sha256sum >/dev/null 2>&1; then SHA_TOOL="sha256sum";
  elif command -v shasum   >/dev/null 2>&1; then SHA_TOOL="shasum -a 256";
  else SHA_TOOL=""; fi
  if [ -n "$SHA_TOOL" ] && [ -n "$SUMS_URL" ]; then
    SUMS_TMP="$(mktemp)"
    if curl -fsSL "$SUMS_URL" -o "$SUMS_TMP" 2>/dev/null; then
      EXPECTED=$(grep " squadem-${BIN_OS}-${ARCH_NAME}\$" "$SUMS_TMP" | awk '{print $1}' | head -1)
      if [ -n "$EXPECTED" ]; then
        ACTUAL=$($SHA_TOOL "$BIN_PATH" | awk '{print $1}')
        if [ "$EXPECTED" != "$ACTUAL" ]; then
          rm -f "$SUMS_TMP"
          error "SHA256 mismatch — refusing to install. Expected $EXPECTED, got $ACTUAL"
        fi
        info "Checksum verified"
      else
        warn "SHA256SUMS missing entry for squadem-${BIN_OS}-${ARCH_NAME} — skipping verification"
      fi
    else
      warn "SHA256SUMS unavailable at $SUMS_URL — skipping verification"
    fi
    rm -f "$SUMS_TMP"
  fi

  chmod +x "$BIN_PATH"

  # ── macOS quarantine workaround ────────────────────────────────
  # Squadem binaries are not yet Apple Developer-signed/notarized
  # (Squadem LLC's Apple account is in flight). Gatekeeper attaches
  # the `com.apple.quarantine` xattr to anything `curl` downloaded,
  # which makes the very first launch pop a "cannot be opened
  # because the developer cannot be verified" dialog. We strip the
  # attribute eagerly here so the binary launches cleanly. This is
  # the same workaround used by Homebrew formulae for unsigned tools
  # (and what `brew install --cask` does behind the scenes).
  #
  # If you'd rather keep Gatekeeper's default behaviour, comment out
  # the line below and run it manually after each upgrade:
  #   xattr -d com.apple.quarantine ~/.squadem/bin/squadem
  if [ "$OS" = "Darwin" ] && command -v xattr >/dev/null 2>&1; then
    xattr -d com.apple.quarantine "$BIN_PATH" 2>/dev/null || true
  fi

  if [ "$OS" = "Linux" ]; then
    UNIT_PATH="$HOME/.config/systemd/user/squadem.service"
    mkdir -p "$(dirname "$UNIT_PATH")"
    # Build a PATH that includes the standard system bin dirs plus the
    # locations Docker / docker-ce installs the CLI on most distros.
    # systemd --user otherwise inherits a stripped PATH that omits
    # /usr/local/bin and /snap/bin, which breaks every downstream
    # `docker ...` exec the binary issues for plugins, adapters, agent
    # containers, and GPU model deployments.
    cat > "$UNIT_PATH" <<SDEOF
[Unit]
Description=Squadem
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
Environment=PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin:/opt/docker/bin
EnvironmentFile=${ENV_FILE}
WorkingDirectory=${SQUADEM_DIR}
ExecStart=${BIN_PATH} --data-dir=${DATA_DIR}
Restart=on-failure
RestartSec=5

[Install]
WantedBy=default.target
SDEOF
    systemctl --user daemon-reload 2>/dev/null || true
    systemctl --user enable --now squadem.service 2>/dev/null || \
      warn "Run manually: systemctl --user enable --now squadem.service"
    loginctl enable-linger "$USER" >/dev/null 2>&1 || true
    SVC_HINT="systemctl --user {status|restart|stop} squadem  •  journalctl --user -u squadem -f"
  else  # macOS
    PLIST_PATH="$HOME/Library/LaunchAgents/com.squadem.core.plist"
    mkdir -p "$(dirname "$PLIST_PATH")"
    # launchd hands child processes a stripped PATH (/usr/bin:/bin:/usr/sbin:/sbin)
    # that omits /usr/local/bin (x86 Homebrew + manual docker), /opt/homebrew/bin
    # (Apple-Silicon Homebrew), and Docker Desktop's own CLI dir. Without an
    # explicit PATH here every `docker ...` exec issued by the binary
    # (plugins, adapters, agent containers, GPU model deployments)
    # fails with "executable file not found in \$PATH". The binary
    # also runs EnsureDockerOnPATH() at startup as a belt-and-suspenders
    # fallback, but baking the right PATH into the plist is what makes
    # the first boot work cleanly.
    cat > "$PLIST_PATH" <<PLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict>
  <key>Label</key><string>com.squadem.core</string>
  <key>ProgramArguments</key>
  <array><string>${BIN_PATH}</string><string>--data-dir=${DATA_DIR}</string></array>
  <key>EnvironmentVariables</key>
  <dict>
    <key>SQUADEM_ENV_FILE</key><string>${ENV_FILE}</string>
    <key>PATH</key><string>/usr/local/bin:/opt/homebrew/bin:/Applications/Docker.app/Contents/Resources/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
  </dict>
  <key>WorkingDirectory</key><string>${SQUADEM_DIR}</string>
  <key>RunAtLoad</key><true/>
  <key>KeepAlive</key><true/>
  <key>StandardOutPath</key><string>${SQUADEM_DIR}/squadem.log</string>
  <key>StandardErrorPath</key><string>${SQUADEM_DIR}/squadem.log</string>
</dict></plist>
PLIST
    launchctl unload "$PLIST_PATH" 2>/dev/null || true
    launchctl load "$PLIST_PATH" 2>/dev/null || \
      warn "Run manually: launchctl load $PLIST_PATH"
    SVC_HINT="launchctl {load|unload} ${PLIST_PATH}  •  tail -f ${SQUADEM_DIR}/squadem.log"
  fi
fi

# ══════════════════════════════════════════════════════════════════
# OPTION 2 — Same binary, in a Docker container
# ══════════════════════════════════════════════════════════════════
if [ "$MODE" = "docker" ]; then
  command -v docker >/dev/null 2>&1 || \
    error "Docker is not installed. Get it at https://docker.com — or rerun without --mode=docker for the native binary."
  docker info >/dev/null 2>&1 || error "Docker daemon is not running. Start Docker and try again."

  info "Pulling ${SQUADEM_DOCKER_IMAGE}..."
  docker pull "$SQUADEM_DOCKER_IMAGE" || error "Pull failed for $SQUADEM_DOCKER_IMAGE"

  # Replace any previous container of the same name. We mount the
  # host docker socket so the in-process Agent IDE sandbox can spawn
  # ephemeral containers, and we expose only the user-facing ports
  # (dashboard, AI proxy, REST API, plugin manager). Transparent /
  # gateway listeners (DNS:53, transparent 8180/443) are configured
  # later from the dashboard if needed.
  docker rm -f squadem-core >/dev/null 2>&1 || true
  docker run -d \
    --name squadem-core \
    --restart unless-stopped \
    --env-file "$ENV_FILE" \
    -v "$DATA_DIR:/data" \
    -v /var/run/docker.sock:/var/run/docker.sock \
    --add-host=host.docker.internal:host-gateway \
    -p 8080:8080 \
    -p 8081:8081 \
    -p 8085:8085 \
    -p 8088:8088 \
    -p 8093:8093 \
    -p 8200:8200 \
    "$SQUADEM_DOCKER_IMAGE" >/dev/null
  SVC_HINT="docker {logs|restart|stop} squadem-core"
fi

fi  # end COMPONENT=core

# ══════════════════════════════════════════════════════════════════
# GPU-AGENT PATH — companion binary that joins an existing core
# ══════════════════════════════════════════════════════════════════
if [ "$COMPONENT" = "gpu-agent" ]; then
  AGENT_ENV_FILE="$SQUADEM_DIR/gpu-agent.env"
  mkdir -p "$SQUADEM_DIR"

  # Hydrate prior values so a re-run is a real upgrade (preserve URL +
  # token without re-prompting). Env vars passed on the current run
  # always win — that's how `SQUADEM_AGENT_TOKEN=… sh` rotates secrets.
  if [ -f "$AGENT_ENV_FILE" ]; then
    SQUADEM_CENTRAL_URL="${SQUADEM_CENTRAL_URL:-$(grep -E '^SQUADEM_CENTRAL_URL=' "$AGENT_ENV_FILE" | cut -d'=' -f2- | tr -d '"' || true)}"
    SQUADEM_AGENT_TOKEN="${SQUADEM_AGENT_TOKEN:-$(grep -E '^SQUADEM_AGENT_TOKEN=' "$AGENT_ENV_FILE" | cut -d'=' -f2- | tr -d '"' || true)}"
    SQUADEM_AGENT_PORT="${SQUADEM_AGENT_PORT:-$(grep -E '^SQUADEM_AGENT_PORT=' "$AGENT_ENV_FILE" | cut -d'=' -f2- | tr -d '"' || true)}"
  fi
  SQUADEM_AGENT_PORT="${SQUADEM_AGENT_PORT:-9400}"

  if [ -z "$SQUADEM_CENTRAL_URL" ]; then
    echo ""
    echo "  ${BOLD}Squadem core URL${NC}"
    echo "  Where this GPU agent should register (e.g. http://core.lan:8081)."
    echo ""
    printf "  Central URL: "
    read -r SQUADEM_CENTRAL_URL < /dev/tty
    echo ""
  fi
  [ -z "$SQUADEM_CENTRAL_URL" ] && error "No central URL provided"

  if [ -z "$SQUADEM_AGENT_TOKEN" ]; then
    echo "  ${BOLD}Registration token${NC}"
    echo "  Generate one in the dashboard: ${BOLD}Settings → GPU → Add agent${NC}"
    echo ""
    printf "  Token: "
    read -r SQUADEM_AGENT_TOKEN < /dev/tty
    echo ""
  fi
  [ -z "$SQUADEM_AGENT_TOKEN" ] && error "No registration token provided"

  cat > "$AGENT_ENV_FILE" <<AENV
# Squadem GPU Agent (auto-generated by install.sh)
SQUADEM_VERSION=${SQUADEM_VERSION}
SQUADEM_CENTRAL_URL=${SQUADEM_CENTRAL_URL}
SQUADEM_AGENT_TOKEN=${SQUADEM_AGENT_TOKEN}
SQUADEM_AGENT_PORT=${SQUADEM_AGENT_PORT}
AENV
  chmod 600 "$AGENT_ENV_FILE"
  info "Wrote ${AGENT_ENV_FILE}"

  BIN_DIR="$SQUADEM_DIR/bin"
  BIN_PATH="$BIN_DIR/sq-gpu-agent"
  AGENT_FILE="sq-gpu-agent-${BIN_OS}-${ARCH_NAME}"
  mkdir -p "$BIN_DIR"

  # Fetch signed download URLs from license server
  PLATFORM="${BIN_OS}-${ARCH_NAME}"
  fetch_download_urls "gpu-agent" "$PLATFORM"

  # Extract URL from response
  BIN_URL=$(get_download_url "$AGENT_FILE")
  if [ -z "$BIN_URL" ]; then
    error "Failed to get download URL for $AGENT_FILE"
  fi

  # Stop existing service before downloading (binary may be locked)
  STOPPED_SERVICE=""
  if [ "$OS" = "Linux" ] && systemctl --user is-active sq-gpu-agent.service >/dev/null 2>&1; then
    info "Stopping existing GPU agent service for upgrade..."
    systemctl --user stop sq-gpu-agent.service 2>/dev/null || true
    STOPPED_SERVICE="systemd"
  elif [ "$OS" = "Darwin" ]; then
    PLIST_PATH="$HOME/Library/LaunchAgents/com.squadem.gpu-agent.plist"
    if launchctl list | grep -q com.squadem.gpu-agent 2>/dev/null; then
      info "Stopping existing GPU agent service for upgrade..."
      launchctl unload "$PLIST_PATH" 2>/dev/null || true
      STOPPED_SERVICE="launchd"
    fi
  fi

  # Kill any stray sq-gpu-agent processes not managed by the service
  if pgrep -x sq-gpu-agent >/dev/null 2>&1; then
    info "Killing existing sq-gpu-agent processes..."
    pkill -x sq-gpu-agent 2>/dev/null || true
    sleep 1
    # Force kill if still running
    pkill -9 -x sq-gpu-agent 2>/dev/null || true
  fi

  # Download to a temp file first, then move (handles locked binary edge case)
  BIN_TMP="${BIN_PATH}.new"
  info "Downloading sq-gpu-agent ${SQUADEM_VERSION}..."
  if command -v curl >/dev/null 2>&1; then
    curl -fL --progress-bar "$BIN_URL" -o "$BIN_TMP" || error "Download failed"
  elif command -v wget >/dev/null 2>&1; then
    wget -q --show-progress "$BIN_URL" -O "$BIN_TMP" || error "Download failed"
  else
    error "curl or wget is required"
  fi
  mv -f "$BIN_TMP" "$BIN_PATH"

  # Checksum — SHA256SUMS is included in the signed download URLs
  SUMS_URL=$(get_download_url "SHA256SUMS")
  if command -v sha256sum >/dev/null 2>&1; then SHA_TOOL="sha256sum";
  elif command -v shasum   >/dev/null 2>&1; then SHA_TOOL="shasum -a 256";
  else SHA_TOOL=""; fi
  if [ -n "$SHA_TOOL" ] && [ -n "$SUMS_URL" ]; then
    SUMS_TMP="$(mktemp)"
    if curl -fsSL "$SUMS_URL" -o "$SUMS_TMP" 2>/dev/null; then
      EXPECTED=$(grep " ${AGENT_FILE}\$" "$SUMS_TMP" | awk '{print $1}' | head -1)
      if [ -n "$EXPECTED" ]; then
        ACTUAL=$($SHA_TOOL "$BIN_PATH" | awk '{print $1}')
        if [ "$EXPECTED" != "$ACTUAL" ]; then
          rm -f "$SUMS_TMP"
          error "SHA256 mismatch — refusing to install. Expected $EXPECTED, got $ACTUAL"
        fi
        info "Checksum verified"
      else
        warn "SHA256SUMS missing entry for ${AGENT_FILE} — skipping verification"
      fi
    else
      warn "SHA256SUMS unavailable — skipping verification"
    fi
    rm -f "$SUMS_TMP"
  fi

  chmod +x "$BIN_PATH"
  if [ "$OS" = "Darwin" ] && command -v xattr >/dev/null 2>&1; then
    xattr -d com.apple.quarantine "$BIN_PATH" 2>/dev/null || true
  fi

  if [ "$OS" = "Linux" ]; then
    UNIT_PATH="$HOME/.config/systemd/user/sq-gpu-agent.service"
    mkdir -p "$(dirname "$UNIT_PATH")"
    # Pull cred values from EnvironmentFile rather than baking them
    # into the unit file itself so token rotation is one `sed` away
    # without rewriting the unit (and so `journalctl` doesn't leak the
    # token in the ExecStart line on `systemctl status`).
    cat > "$UNIT_PATH" <<SDEOF
[Unit]
Description=Squadem GPU Agent
After=network-online.target
Wants=network-online.target

[Service]
Type=simple
EnvironmentFile=${AGENT_ENV_FILE}
ExecStart=${BIN_PATH} --central=\${SQUADEM_CENTRAL_URL} --token=\${SQUADEM_AGENT_TOKEN} --port=\${SQUADEM_AGENT_PORT}
Restart=on-failure
RestartSec=5

[Install]
WantedBy=default.target
SDEOF
    systemctl --user daemon-reload 2>/dev/null || true
    systemctl --user enable --now sq-gpu-agent.service 2>/dev/null || \
      warn "Run manually: systemctl --user enable --now sq-gpu-agent.service"
    loginctl enable-linger "$USER" >/dev/null 2>&1 || true
    SVC_HINT="systemctl --user {status|restart|stop} sq-gpu-agent  •  journalctl --user -u sq-gpu-agent -f"
  else  # macOS
    PLIST_PATH="$HOME/Library/LaunchAgents/com.squadem.gpu-agent.plist"
    mkdir -p "$(dirname "$PLIST_PATH")"
    cat > "$PLIST_PATH" <<PLIST
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0"><dict>
  <key>Label</key><string>com.squadem.gpu-agent</string>
  <key>ProgramArguments</key>
  <array>
    <string>${BIN_PATH}</string>
    <string>--central=${SQUADEM_CENTRAL_URL}</string>
    <string>--token=${SQUADEM_AGENT_TOKEN}</string>
    <string>--port=${SQUADEM_AGENT_PORT}</string>
  </array>
  <key>WorkingDirectory</key><string>${SQUADEM_DIR}</string>
  <key>RunAtLoad</key><true/>
  <key>KeepAlive</key><true/>
  <key>StandardOutPath</key><string>${SQUADEM_DIR}/sq-gpu-agent.log</string>
  <key>StandardErrorPath</key><string>${SQUADEM_DIR}/sq-gpu-agent.log</string>
</dict></plist>
PLIST
    launchctl unload "$PLIST_PATH" 2>/dev/null || true
    launchctl load "$PLIST_PATH" 2>/dev/null || \
      warn "Run manually: launchctl load $PLIST_PATH"
    SVC_HINT="launchctl {load|unload} ${PLIST_PATH}  •  tail -f ${SQUADEM_DIR}/sq-gpu-agent.log"
  fi
fi  # end COMPONENT=gpu-agent

# ── Wait for health ───────────────────────────────────────────────
if [ "$COMPONENT" = "core" ]; then
  HEALTH_URL="http://localhost:8200/health"; READY_LABEL="Squadem"
else
  HEALTH_URL="http://localhost:${SQUADEM_AGENT_PORT}/health"; READY_LABEL="GPU agent"
fi
info "Waiting for ${READY_LABEL} to be ready..."
TIMEOUT=60; ELAPSED=0; READY=false
while [ $ELAPSED -lt $TIMEOUT ]; do
  if curl -sf "$HEALTH_URL" >/dev/null 2>&1; then READY=true; break; fi
  sleep 2; ELAPSED=$((ELAPSED + 2))
done
if [ "$READY" = "true" ]; then
  info "${READY_LABEL} is healthy"
else
  warn "Not responding at ${HEALTH_URL} yet. Check service logs (see commands below)."
fi

# ── Best-effort install ping ──────────────────────────────────────
curl -s -X POST "${LICENSE_API}/track" \
  -H "Content-Type: application/json" \
  -d "{\"event\":\"install\",\"platform\":\"${OS}-${ARCH}\",\"component\":\"${COMPONENT}\",\"mode\":\"${MODE}\"}" \
  >/dev/null 2>&1 || true

# ── Done ──────────────────────────────────────────────────────────
echo ""
echo "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""
if [ "$COMPONENT" = "core" ]; then
  echo "  ${GREEN}${BOLD}Squadem is running${NC}  (${LICENSE_TIER} plan, ${MODE} mode)"
  echo ""
  echo "  ${BOLD}Dashboard${NC}   http://localhost:8200"
  echo "  ${BOLD}AI Proxy${NC}    http://localhost:8080"
  echo "  ${BOLD}Config${NC}      ${ENV_FILE}"
  echo "  ${BOLD}Data${NC}        ${DATA_DIR}"
  echo "  ${BOLD}Service${NC}     ${SVC_HINT}"
  echo ""
  echo "  Open the dashboard to finish setup (create your admin account)."
else
  echo "  ${GREEN}${BOLD}Squadem GPU agent is running${NC}"
  echo ""
  echo "  ${BOLD}Local API${NC}   http://localhost:${SQUADEM_AGENT_PORT}"
  echo "  ${BOLD}Joining${NC}     ${SQUADEM_CENTRAL_URL}"
  echo "  ${BOLD}Config${NC}      ${AGENT_ENV_FILE}"
  echo "  ${BOLD}Service${NC}     ${SVC_HINT}"
  echo ""
  echo "  In the core dashboard the new node should appear under"
  echo "  ${BOLD}Settings → GPU${NC} within a few seconds."
fi
echo ""
echo "${CYAN}━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━${NC}"
echo ""