#!/bin/zsh
set -euo pipefail

if [[ $# -lt 1 ]]; then
  echo "usage: $0 <site>" >&2
  exit 1
fi

SITE="$1"
CRED_FILE="$HOME/.dorian/credentials.json"

site_aliases() {
  case "$1" in
    target.com) echo "target.com target" ;;
    ralphs.com) echo "ralphs.com ralphs kroger" ;;
    amazon.com) echo "amazon.com amazon" ;;
    sprouts.com) echo "sprouts.com sprouts" ;;
    staterbros.com) echo "staterbros.com staterbros stater bros" ;;
    *) echo "$1" ;;
  esac
}

get_json_field() {
  local site_key="$1"
  local field="$2"
  python3 - "$CRED_FILE" "$site_key" "$field" <<'PY'
import json, sys
path, site_key, field = sys.argv[1:4]
with open(path, 'r', encoding='utf-8') as fh:
    data = json.load(fh)
value = data.get(site_key, {}).get(field, '')
print(value if value is not None else '')
PY
}

# Use script-local names that cannot be polluted by common shell environment
# variables like USERNAME/PASSWORD inherited from the caller.
RESOLVED_USERNAME=""
RESOLVED_PASSWORD=""

if command -v lpass >/dev/null 2>&1; then
  if ! lpass status >/dev/null 2>&1; then
    echo "credential lookup failed: LastPass CLI not authenticated (run: lpass login <email>)" >&2
    exit 5
  fi
  for CANDIDATE in $(site_aliases "$SITE"); do
    JSON_MATCHES="$(lpass show --expand-multi --json --all --fixed-strings "$CANDIDATE" 2>/dev/null || true)"
    PAIR="$(python3 -c 'import json,re,sys
raw=sys.argv[1].strip()
if not raw:
    print("|"); raise SystemExit
try:
    entries=json.loads(raw)
except Exception:
    print("|"); raise SystemExit
if isinstance(entries, dict):
    entries=[entries]
def score(u):
    u=(u or "").strip()
    if "@" in u and "." in u.split("@")[-1]: return 3
    digits=re.sub(r"\D","",u)
    if len(digits)>=10: return 2
    return 1 if u else 0
best=("","",-1)
for e in entries:
    u=(e.get("username") or "").strip()
    p=(e.get("password") or "").strip()
    s=score(u)
    if u and p and s>best[2]: best=(u,p,s)
print(f"{best[0]}|{best[1]}")' "$JSON_MATCHES")"
    CAND_USER="${PAIR%%|*}"
    CAND_PASS="${PAIR#*|}"
    [[ -z "$RESOLVED_USERNAME" && -n "$CAND_USER" ]] && RESOLVED_USERNAME="$CAND_USER"
    [[ -z "$RESOLVED_PASSWORD" && -n "$CAND_PASS" ]] && RESOLVED_PASSWORD="$CAND_PASS"
    if [[ -n "$RESOLVED_USERNAME" && -n "$RESOLVED_PASSWORD" ]]; then
      break
    fi
  done
fi

if [[ -z "$RESOLVED_USERNAME" || -z "$RESOLVED_PASSWORD" ]]; then
  if [[ ! -f "$CRED_FILE" ]]; then
    echo "credential lookup failed: missing LastPass values and $CRED_FILE not found" >&2
    exit 2
  fi
  case "$SITE" in
    ralphs.com) SITE_KEY="ralphs" ;;
    amazon.com) SITE_KEY="amazon" ;;
    sprouts.com) SITE_KEY="sprouts" ;;
    staterbros.com) SITE_KEY="stater_bros" ;;
    target.com) SITE_KEY="target" ;;
    *)
      echo "unsupported site: $SITE" >&2
      exit 3
      ;;
  esac
  [[ -z "$RESOLVED_USERNAME" ]] && RESOLVED_USERNAME="$(get_json_field "$SITE_KEY" username 2>/dev/null || true)"
  [[ -z "$RESOLVED_PASSWORD" ]] && RESOLVED_PASSWORD="$(get_json_field "$SITE_KEY" password 2>/dev/null || true)"
fi

if [[ -z "$RESOLVED_USERNAME" || -z "$RESOLVED_PASSWORD" ]]; then
  echo "credential lookup failed for $SITE" >&2
  exit 4
fi

# Normalize trailing CR/LF and surrounding whitespace from credential manager output.
RESOLVED_USERNAME="${RESOLVED_USERNAME//$'\r'/}"
RESOLVED_PASSWORD="${RESOLVED_PASSWORD//$'\r'/}"
RESOLVED_USERNAME="$(printf '%s' "$RESOLVED_USERNAME" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"
RESOLVED_PASSWORD="$(printf '%s' "$RESOLVED_PASSWORD" | sed -e 's/^[[:space:]]*//' -e 's/[[:space:]]*$//')"

printf 'USERNAME=%s\n' "$RESOLVED_USERNAME"
printf 'PASSWORD=%s\n' "$RESOLVED_PASSWORD"