#!/usr/bin/env bash
# unmail — Hardened vault decryption client
set -euo pipefail
shopt -s inherit_errexit 2>/dev/null || true

SDIR="$(cd "$(dirname "$0")" && pwd)"
source "${SDIR}/se_client.sh"

# ── Input validation ───────────────────────────────────────────────────────
if [[ $# -lt 1 ]]; then
    printf 'Usage: %s encrypted_file_path\n' "$0" >&2
    exit 1
fi

readonly FILE="${1:-}"

# Validate file exists
if [[ ! -f "${FILE}" ]]; then
    se_log "err" "decrypt: file not found ${FILE}"
    exit 1
fi

# Validate path is absolute and under allowed directories
if [[ ! "${FILE}" =~ ^/(opt|var|run|dev/shm)/ ]]; then
    se_log "err" "decrypt: path not in allowed directory: ${FILE}"
    exit 1
fi

# ── Decrypt via engine API ─────────────────────────────────────────────────
TMP="$(mktemp /dev/shm/.se_dec.XXXXXX)"
chmod 600 "${TMP}"

# Atomic cleanup on all exit paths
cleanup_unmail() {
    >"${TMP}" 2>/dev/null || true
    rm -f "${TMP}" 2>/dev/null || true
}
trap cleanup_unmail EXIT

BODY="$(jq -n --arg p "${FILE}" --arg k '/dev/shm/vault.key' '{"path":$p,"key_file":$k}')"
RESP="$(se_curl_post "/a/vault/decrypt" "${BODY}" 2>/dev/null || printf '%s' '')"

if [[ -n "${RESP}" ]]; then
    PLAINTEXT="$(printf '%s' "${RESP}" | jq -r '.plaintext // .data // empty' 2>/dev/null || printf '%s' '')"
    if [[ -n "${PLAINTEXT}" ]]; then
        printf '%s' "${PLAINTEXT}"
        se_log "info" "decrypt: ${FILE} decrypted"
        exit 0
    fi
fi

se_log "err" "decrypt: ${FILE} failed"
exit 1
