//! Seed storage: encrypts at rest with Argon2 + ChaCha20-Poly1305.
//! For Phase 1, we store the seed in plaintext. Encryption is TODO.

use std::fs;
use std::path::PathBuf;

use warzone_protocol::identity::Seed;

fn seed_path() -> PathBuf {
    let home = std::env::var("HOME").unwrap_or_else(|_| ".".into());
    PathBuf::from(home).join(".warzone").join("identity.seed")
}

pub fn save_seed(seed: &Seed) -> anyhow::Result<()> {
    let path = seed_path();
    if let Some(parent) = path.parent() {
        fs::create_dir_all(parent)?;
    }
    // TODO: encrypt with passphrase (Argon2 + ChaCha20-Poly1305)
    fs::write(&path, &seed.0)?;
    // Set permissions to owner-only on Unix
    #[cfg(unix)]
    {
        use std::os::unix::fs::PermissionsExt;
        fs::set_permissions(&path, fs::Permissions::from_mode(0o600))?;
    }
    Ok(())
}

pub fn load_seed() -> anyhow::Result<Seed> {
    let path = seed_path();
    let bytes = fs::read(&path)
        .map_err(|_| anyhow::anyhow!("No identity found. Run `warzone init` first."))?;
    if bytes.len() != 32 {
        anyhow::bail!("Corrupted seed file");
    }
    let mut seed_bytes = [0u8; 32];
    seed_bytes.copy_from_slice(&bytes);
    Ok(Seed::from_bytes(seed_bytes))
}