name: authenticated-service
description: "Slack Path 1: Identity Layer. Implements User Auth, JWT generation, and Protected Middleware."
version: 1

vars:
  project_name: ""
  service_name: "auth-api"
  feature_slug: "auth-system"

steps:
  # --- Infrastructure ---
  create-project:
    action: api
    method: POST
    endpoint: /project
    body:
      name: "{{ .vars.project_name }}"
      description: "Slack Path 1: Authentication"
    outputs:
      - project_id: .data.name
      - domain: .data.domain

  add-db:
    description: Add CockroachDB for user storage
    depends_on: [create-project]
    action: api
    method: POST
    endpoint: "/projects/{{ .outputs.create-project.project_id }}/components"
    body:
      type: postgres
      name: "main-db"
    outputs:
      - db_url: .data.connection_string

  add-service:
    description: Add API service
    depends_on: [add-db]
    action: api
    method: POST
    endpoint: "/projects/{{ .outputs.create-project.project_id }}/components"
    body:
      type: service
      name: "{{ .vars.service_name }}"
      template: service

  wait-init:
    depends_on: [add-service]
    action: wait_pipeline
    project_id: "{{ .outputs.create-project.project_id }}"

  verify-notify-domain:
    description: Wait for the project email domain to be verified by Resend
    depends_on: [wait-init]
    on_error: continue
    action: shell
    command: |
      PROJECT_ID="{{ .outputs.create-project.project_id }}"
      API_URL="${RDEV_API_URL:-https://rdev.masq-ops.orchard9.ai}"
      for i in $(seq 1 12); do
        STATUS=$(curl -sf "$API_URL/projects/$PROJECT_ID/notify/status" \
          -H "X-API-Key: $RDEV_API_KEY" | jq -r '.data.status // empty' 2>/dev/null)
        echo "notify domain status (attempt $i/12): $STATUS"
        if [ "$STATUS" = "verified" ]; then
          echo "Email domain verified — OTP and auth emails will work"
          exit 0
        fi
        if [ "$STATUS" = "not_configured" ]; then
          echo "Notify not configured — skipping"
          exit 0
        fi
        sleep 30
      done
      echo "Email domain not verified after 6 minutes — continuing, but OTP emails may fail"
      exit 0

  # --- SDLC: Build Auth ---
  create-feature:
    depends_on: [verify-notify-domain]
    action: api
    method: POST
    endpoint: "/projects/{{ .outputs.create-project.project_id }}/sdlc/features"
    body:
      slug: "{{ .vars.feature_slug }}"
      title: "Authentication System"

  implement-auth:
    description: "Agent implements Login, Register, and JWT Middleware"
    depends_on: [create-feature]
    action: api
    method: POST
    endpoint: "/projects/{{ .outputs.create-project.project_id }}/builds"
    body:
      prompt: "/implement-feature {{ .vars.feature_slug }} --requirements 'User model with email/password. POST /register, POST /login (returns JWT). Middleware that checks Authorization header. GET /me returns user profile.'"
      auto_commit: true
      auto_push: true
      git_clone_url: "https://git.threesix.ai/threesix/{{ .outputs.create-project.project_id }}.git"
    outputs:
      - build_id: .data.task_id

  wait-build:
    description: Wait for agent code generation
    depends_on: [implement-auth]
    action: wait_build
    build_id: "{{ .outputs.implement-auth.build_id }}"
    max_attempts: 120
    poll_interval: 5

  wait-deploy:
    depends_on: [wait-build]
    action: wait_pipeline
    project_id: "{{ .outputs.create-project.project_id }}"

  # --- Verification ---
  verify-service-running:
    description: "Verify the auth service is running and reachable"
    depends_on: [wait-deploy]
    action: shell
    command: |
      DOMAIN="{{ .outputs.create-project.domain }}"
      SERVICE_NAME="{{ .vars.service_name }}"

      # Check health endpoint
      HEALTH=$(curl -s "https://$DOMAIN/api/$SERVICE_NAME/health" | jq -r '.data.status // empty')
      if [ "$HEALTH" == "healthy" ]; then
        echo "Service healthy: /api/$SERVICE_NAME/health returned healthy"
        exit 0
      else
        echo "Fail: service not healthy"
        exit 1
      fi

  verify-login-flow:
    description: "Register -> Login -> Access Protected Route (optional - depends on agent implementation)"
    depends_on: [verify-service-running]
    on_error: continue
    action: shell
    command: |
      DOMAIN="{{ .outputs.create-project.domain }}"
      SERVICE_NAME="{{ .vars.service_name }}"
      PROJECT_ID="{{ .outputs.create-project.project_id }}"
      EMAIL="test-${PROJECT_ID}@example.com"
      BASE_URL="https://$DOMAIN/api/$SERVICE_NAME"

      # 1. Register
      echo "Registering $EMAIL..."
      REGISTER_RESP=$(curl -s -X POST "$BASE_URL/register" \
        -H "Content-Type: application/json" \
        -d "{\"email\":\"$EMAIL\",\"password\":\"hunter2\"}")
      echo "Register response: $REGISTER_RESP"

      # 2. Login
      echo "Logging in..."
      LOGIN_RESP=$(curl -s -X POST "$BASE_URL/login" \
        -H "Content-Type: application/json" \
        -d "{\"email\":\"$EMAIL\",\"password\":\"hunter2\"}")
      echo "Login response: $LOGIN_RESP"
      TOKEN=$(echo "$LOGIN_RESP" | jq -r .token)

      if [ -z "$TOKEN" ] || [ "$TOKEN" == "null" ]; then
        echo "Failed: Could not get token from login response"
        exit 1
      fi

      # 3. Access Protected
      echo "Accessing protected route..."
      RESP=$(curl -s -H "Authorization: Bearer $TOKEN" "$BASE_URL/me")
      echo "Protected response: $RESP"
      if echo "$RESP" | grep -q "$EMAIL"; then echo "Login flow OK"; exit 0; else echo "Failed: Email not found in response"; exit 1; fi

teardown:
  - action: api
    method: DELETE
    endpoint: "/project/{{ .outputs.create-project.project_id }}"