setup.bat

@echo off
setlocal enabledelayedexpansion
REM =================================================================
REM DecentraLabs Gateway - Full Version Setup Script (Windows)
REM Complete blockchain-based authentication system with blockchain-services
REM =================================================================

set "ROOT_ENV_FILE=.env"
set "BLOCKCHAIN_ENV_FILE=blockchain-services\.env"
set "compose_cmd=docker compose"
set "compose_files="
set "compose_full="
set "cf_enabled=0"
set "certbot_enabled=0"
set "aas_enabled=0"
set "fmu_runner_enabled=1"
set "external_aas_url="
set "existing_mysql_root_password="
set "existing_mysql_password="
set "db_credentials_changed=0"
set "reset_mysql_volume=0"
set "mysql_volume_name="
echo DecentraLabs Gateway - Full Version Setup
echo ==========================================
echo.

REM Check prerequisites
echo Checking prerequisites...
docker --version >nul 2>&1
if errorlevel 1 (
    echo Docker is not installed. Please install Docker Desktop first.
    echo    Visit: https://docs.docker.com/desktop/install/windows-install/
    pause
    exit /b 1
)

docker compose version >nul 2>&1
if errorlevel 1 (
    echo Docker Compose V2 is not available.
    echo    Visit: https://docs.docker.com/compose/install/
    pause
    exit /b 1
)

git --version >nul 2>&1
if errorlevel 1 (
    echo Git is required to initialize the blockchain-services submodule.
    pause
    exit /b 1
)

echo Docker, Docker Compose, and Git are available
echo.

echo Ensuring blockchain-services submodule is present...
git submodule update --init --recursive blockchain-services
if errorlevel 1 (
    echo Failed to initialize blockchain-services submodule.
    pause
    exit /b 1
)
echo blockchain-services submodule ready.
echo.

call :ReadEnvValue "%ROOT_ENV_FILE%" "MYSQL_ROOT_PASSWORD" existing_mysql_root_password
call :ReadEnvValue "%ROOT_ENV_FILE%" "MYSQL_PASSWORD" existing_mysql_password
REM Check if .env already exists
if exist "%ROOT_ENV_FILE%" (
    echo .env file already exists!
    set /p "overwrite=Do you want to overwrite it? (y/N): "
    if defined overwrite set "overwrite=!overwrite: =!"
    if /i "!overwrite!"=="y" (
        copy ".env.example" "%ROOT_ENV_FILE%" >nul
        echo Overwritten .env file from template
    ) else (
        echo Keeping existing .env file.
    )
) else (
    copy ".env.example" "%ROOT_ENV_FILE%" >nul
    echo Created .env file from template
)
echo.

if exist "%BLOCKCHAIN_ENV_FILE%" (
    echo blockchain-services\.env already exists.
) else (
    if exist "blockchain-services\.env.example" (
        copy "blockchain-services\.env.example" "%BLOCKCHAIN_ENV_FILE%" >nul
        echo Created blockchain-services\.env from template
    ) else (
        echo blockchain-services\.env.example not found. Please update the submodule.
        pause
        exit /b 1
    )
)
echo.

REM Database Passwords
echo Database Passwords
echo ===================
echo Enter database passwords (leave empty for auto-generated):
set "mysql_root_password="
set "mysql_password="
set /p "mysql_root_password=MySQL root password: "
set /p "mysql_password=Guacamole database password: "

if "!mysql_root_password!"=="" (
    if not "!existing_mysql_root_password!"=="" (
        call :IsPlaceholderSecret "!existing_mysql_root_password!"
        if errorlevel 1 (
            set "mysql_root_password=!existing_mysql_root_password!"
            echo Reusing existing MySQL root password from .env
        )
    )
)
if "!mysql_root_password!"=="" (
    call :GenerateHex 16 generated_hex
    if not defined generated_hex set "generated_hex=P@ss_%RANDOM%_%TIME:~9%"
    set "mysql_root_password=R00t_!generated_hex!"
    if defined mysql_root_password set "mysql_root_password=!mysql_root_password: =!"
    echo Generated root password: !mysql_root_password!
)

if "!mysql_password!"=="" (
    if not "!existing_mysql_password!"=="" (
        call :IsPlaceholderSecret "!existing_mysql_password!"
        if errorlevel 1 (
            set "mysql_password=!existing_mysql_password!"
            echo Reusing existing Guacamole DB password from .env
        )
    )
)
if "!mysql_password!"=="" (
    call :GenerateHex 16 generated_hex
    if not defined generated_hex set "generated_hex=%RANDOM%_%TIME:~9%"
    set "mysql_password=Gu@c_!generated_hex!"
    if defined mysql_password set "mysql_password=!mysql_password: =!"
    echo Generated database password: !mysql_password!
)

call :UpdateEnv "%ROOT_ENV_FILE%" "MYSQL_ROOT_PASSWORD" "!mysql_root_password!"
call :UpdateEnv "%ROOT_ENV_FILE%" "MYSQL_PASSWORD" "!mysql_password!"

set "db_credentials_changed=0"
if not "!mysql_root_password!"=="!existing_mysql_root_password!" set "db_credentials_changed=1"
if not "!mysql_password!"=="!existing_mysql_password!" set "db_credentials_changed=1"

for /f %%V in ('powershell -NoLogo -NoProfile -Command "$p=$env:COMPOSE_PROJECT_NAME; if (-not $p) { $p=[IO.Path]::GetFileName((Get-Location).Path).ToLowerInvariant() -replace '[^a-z0-9]','' }; $vol=docker volume ls -q --filter \"label=com.docker.compose.project=$p\" --filter \"label=com.docker.compose.volume=mysql_data\" | Select-Object -First 1; if (-not $vol) { $fallback=($p + '_mysql_data'); docker volume inspect $fallback *> $null; if ($LASTEXITCODE -eq 0) { $vol=$fallback } }; if ($vol) { $vol }"') do set "mysql_volume_name=%%V"

if "!db_credentials_changed!"=="1" if defined mysql_volume_name (
    echo.
    echo Detected existing MySQL volume: !mysql_volume_name!
    echo Database credentials changed in .env, so startup can fail with Access denied ^(1045^).
    set /p "reset_mysql_input=Reset MySQL volume now to apply new credentials? This removes MySQL data. (y/N): "
    if defined reset_mysql_input set "reset_mysql_input=!reset_mysql_input: =!"
    if /i "!reset_mysql_input!"=="y" (
        set "reset_mysql_volume=1"
        echo MySQL volume will be reset before startup.
    ) else if /i "!reset_mysql_input!"=="yes" (
        set "reset_mysql_volume=1"
        echo MySQL volume will be reset before startup.
    ) else (
        echo Keeping existing MySQL volume. If startup fails, run: docker compose down -v
    )
)

echo.
echo IMPORTANT: Save these passwords securely!
echo    Root password: !mysql_root_password!
echo    Database password: !mysql_password!
echo.

REM Guacamole Admin Credentials
echo.
echo Guacamole Admin Credentials
echo ============================
echo These are the credentials for the Guacamole web interface.
echo A strong admin password is required.
set "guac_admin_user="
set "guac_admin_pass="
set /p "guac_admin_user=Guacamole admin username [guacadmin]: "
set /p "guac_admin_pass=Guacamole admin password (leave empty for auto-generated): "

if "!guac_admin_user!"=="" set "guac_admin_user=guacadmin"
if "!guac_admin_pass!"=="" (
    call :GenerateHex 16 generated_hex
    if not defined generated_hex set "generated_hex=%RANDOM%_%TIME:~9%"
    set "guac_admin_pass=Guac_!generated_hex!"
    if defined guac_admin_pass set "guac_admin_pass=!guac_admin_pass: =!"
    echo Generated Guacamole admin password: !guac_admin_pass!
)
if /i "!guac_admin_pass!"=="guacadmin" (
    echo Refusing to use insecure Guacamole admin password. Set a strong value.
    exit /b 1
)
if /i "!guac_admin_pass!"=="changeme" (
    echo Refusing to use insecure Guacamole admin password. Set a strong value.
    exit /b 1
)
if /i "!guac_admin_pass!"=="change_me" (
    echo Refusing to use insecure Guacamole admin password. Set a strong value.
    exit /b 1
)
if /i "!guac_admin_pass!"=="password" (
    echo Refusing to use insecure Guacamole admin password. Set a strong value.
    exit /b 1
)
if /i "!guac_admin_pass!"=="test" (
    echo Refusing to use insecure Guacamole admin password. Set a strong value.
    exit /b 1
)

call :UpdateEnv "%ROOT_ENV_FILE%" "GUAC_ADMIN_USER" "!guac_admin_user!"
call :UpdateEnv "%ROOT_ENV_FILE%" "GUAC_ADMIN_PASS" "!guac_admin_pass!"
echo.

REM Admin Access Token
echo Admin Access Token
echo ============================
echo This token protects /wallet, /billing, /wallet-dashboard, and /billing/admin/** behind OpenResty.
set "access_token="
set /p "access_token=Admin access token (leave empty for auto-generated): "
if defined access_token set "access_token=!access_token: =!"
if "!access_token!"=="=" set "access_token="
if /i "!access_token!"=="CHANGE_ME" set "access_token="

if "!access_token!"=="" (
    call :GenerateHex 16 generated_hex
    if not defined generated_hex set "generated_hex=%RANDOM%%RANDOM%%RANDOM%"
    set "access_token=acc_!generated_hex!"
    echo Generated admin access token: !access_token!
)

call :UpdateEnvBoth "ADMIN_ACCESS_TOKEN" "!access_token!"
call :UpdateEnvBoth "ADMIN_ACCESS_TOKEN_HEADER" "X-Access-Token"
call :UpdateEnvBoth "ADMIN_ACCESS_TOKEN_COOKIE" "access_token"
call :UpdateEnvBlockchainOnly "ADMIN_ACCESS_TOKEN_REQUIRED" "true"
call :UpdateEnvBlockchainOnly "ADMIN_DASHBOARD_LOCAL_ONLY" "true"
echo.
echo Wallet Dashboard Access Scope
echo =============================
echo Choose how /wallet-dashboard and wallet/billing admin routes are exposed:
echo   1^) Localhost only ^(recommended^)
echo   2^) Private networks + admin access token
set "dashboard_access_scope="
set /p "dashboard_access_scope=Choose [1/2] (default: 1): "
if defined dashboard_access_scope set "dashboard_access_scope=!dashboard_access_scope: =!"
if "!dashboard_access_scope!"=="2" (
    call :UpdateEnvBlockchainOnly "SECURITY_ALLOW_PRIVATE_NETWORKS" "true"
    call :UpdateEnvBlockchainOnly "ADMIN_DASHBOARD_ALLOW_PRIVATE" "true"
    call :UpdateEnvBlockchainOnly "ADMIN_DASHBOARD_LOCAL_ONLY" "false"
    set "admin_allowed_cidrs="
    set /p "admin_allowed_cidrs=Allowed private CIDRs (comma-separated, leave empty for any private range): "
    if defined admin_allowed_cidrs set "admin_allowed_cidrs=!admin_allowed_cidrs: =!"
    call :UpdateEnvBlockchainOnly "ADMIN_ALLOWED_CIDRS" "!admin_allowed_cidrs!"
    echo Configured wallet dashboard access for private networks protected by ADMIN_ACCESS_TOKEN.
) else (
    call :UpdateEnvBlockchainOnly "SECURITY_ALLOW_PRIVATE_NETWORKS" "false"
    call :UpdateEnvBlockchainOnly "ADMIN_DASHBOARD_ALLOW_PRIVATE" "false"
    call :UpdateEnvBlockchainOnly "ADMIN_DASHBOARD_LOCAL_ONLY" "true"
    call :UpdateEnvBlockchainOnly "ADMIN_ALLOWED_CIDRS" ""
    echo Configured wallet dashboard access for localhost only.
)
echo.

REM Lab Manager Access Token
echo Lab Manager Access Token
echo ========================
echo This token protects /lab-manager and /ops when accessed outside private networks.
set "lab_manager_token="
set /p "lab_manager_token=Lab Manager token (leave empty for auto-generated): "
if defined lab_manager_token set "lab_manager_token=!lab_manager_token: =!"
if "!lab_manager_token!"=="=" set "lab_manager_token="
if /i "!lab_manager_token!"=="CHANGE_ME" set "lab_manager_token="

if "!lab_manager_token!"=="" (
    call :GenerateHex 16 generated_hex
    if not defined generated_hex set "generated_hex=%RANDOM%%RANDOM%%RANDOM%"
    set "lab_manager_token=lab_!generated_hex!"
    echo Generated Lab Manager token: !lab_manager_token!
)

call :UpdateEnv "%ROOT_ENV_FILE%" "LAB_MANAGER_TOKEN" "!lab_manager_token!"
call :UpdateEnv "%ROOT_ENV_FILE%" "LAB_MANAGER_TOKEN_HEADER" "X-Lab-Manager-Token"
call :UpdateEnv "%ROOT_ENV_FILE%" "LAB_MANAGER_TOKEN_COOKIE" "lab_manager_token"
echo.



REM Domain Configuration
echo Domain Configuration
echo =====================
echo Enter your domain name (or press Enter for localhost):
set /p "domain=Domain: "
if defined domain set "domain=!domain: =!"
if not defined domain set "domain=localhost"
if "!domain!"=="" set "domain=localhost"

if /i "!domain!"=="localhost" (
    echo Configuring for local development...
    call :UpdateEnv "%ROOT_ENV_FILE%" "SERVER_NAME" "localhost"
    call :UpdateEnv "%ROOT_ENV_FILE%" "HTTPS_PORT" "8443"
    call :UpdateEnv "%ROOT_ENV_FILE%" "HTTP_PORT" "8081"
    call :UpdateEnv "%ROOT_ENV_FILE%" "OPENRESTY_BIND_ADDRESS" "127.0.0.1"
    call :UpdateEnv "%ROOT_ENV_FILE%" "OPENRESTY_BIND_HTTPS_PORT" "8443"
    call :UpdateEnv "%ROOT_ENV_FILE%" "OPENRESTY_BIND_HTTP_PORT" "8081"
    set "https_port=8443"
    set "http_port=8081"
    echo    * Server: https://localhost:8443
    echo    * Using development ports ^(8443/8081^)
) else (
    echo Configuring for production...
    call :UpdateEnv "%ROOT_ENV_FILE%" "SERVER_NAME" "!domain!"
    
    echo.
    echo Deployment Mode
    echo ---------------
    echo How is the gateway exposed to the internet?
    echo   1^) Direct - Gateway has a public IP ^(ports bound directly^)
    echo   2^) Router - Behind NAT/router with port forwarding ^(e.g., router:8043 -^> host:443^)
    set /p "deploy_mode=Choose [1/2] (default: 1): "
    if defined deploy_mode set "deploy_mode=!deploy_mode: =!"
    
    if "!deploy_mode!"=="2" (
        echo Router mode selected.
        call :UpdateEnv "%ROOT_ENV_FILE%" "OPENRESTY_BIND_ADDRESS" "0.0.0.0"
        set /p "public_https=Public HTTPS port (the port clients use, e.g., 8043): "
        if defined public_https set "public_https=!public_https: =!"
        if "!public_https!"=="" set "public_https=443"
        set /p "local_https=Local HTTPS port to bind on this host (default: 443): "
        if defined local_https set "local_https=!local_https: =!"
        if "!local_https!"=="" set "local_https=443"
        set /p "public_http=Public HTTP port (default: 80): "
        if defined public_http set "public_http=!public_http: =!"
        if "!public_http!"=="" set "public_http=80"
        set /p "local_http=Local HTTP port to bind on this host (default: 80): "
        if defined local_http set "local_http=!local_http: =!"
        if "!local_http!"=="" set "local_http=80"
        call :UpdateEnv "%ROOT_ENV_FILE%" "HTTPS_PORT" "!public_https!"
        call :UpdateEnv "%ROOT_ENV_FILE%" "HTTP_PORT" "!public_http!"
        call :UpdateEnv "%ROOT_ENV_FILE%" "OPENRESTY_BIND_HTTPS_PORT" "!local_https!"
        call :UpdateEnv "%ROOT_ENV_FILE%" "OPENRESTY_BIND_HTTP_PORT" "!local_http!"
        set "https_port=!public_https!"
        set "http_port=!public_http!"
        echo    * Public URL: https://!domain!:!public_https!
        echo    * OpenResty will bind to 0.0.0.0:!local_https! and 0.0.0.0:!local_http!
    ) else (
        echo Direct mode selected.
        call :UpdateEnv "%ROOT_ENV_FILE%" "OPENRESTY_BIND_ADDRESS" "0.0.0.0"
        set /p "direct_https=HTTPS port (default: 443): "
        if defined direct_https set "direct_https=!direct_https: =!"
        if "!direct_https!"=="" set "direct_https=443"
        set /p "direct_http=HTTP port (default: 80): "
        if defined direct_http set "direct_http=!direct_http: =!"
        if "!direct_http!"=="" set "direct_http=80"
        call :UpdateEnv "%ROOT_ENV_FILE%" "HTTPS_PORT" "!direct_https!"
        call :UpdateEnv "%ROOT_ENV_FILE%" "HTTP_PORT" "!direct_http!"
        call :UpdateEnv "%ROOT_ENV_FILE%" "OPENRESTY_BIND_HTTPS_PORT" "!direct_https!"
        call :UpdateEnv "%ROOT_ENV_FILE%" "OPENRESTY_BIND_HTTP_PORT" "!direct_http!"
        set "https_port=!direct_https!"
        set "http_port=!direct_http!"
        echo    * Server: https://!domain!:!direct_https!
        echo    * Using ports ^(!direct_https!/!direct_http!^)
    )
)
echo.

echo JWT Issuer ^(Full/Lite^)
echo ======================
echo ISSUER controls which JWT issuer OpenResty accepts:
echo   - Leave empty -^> Full mode ^(this gateway handles auth + access^).
echo   - Set https://^<your-full-gateway-domain^>/auth -^> Lite mode ^(trust Full-issued JWTs^).
echo   - In Lite mode, public key sync is automatic from https://^<issuer-origin^>/.well-known/public-key.pem.
echo   - Lite mode disables local auth/billing/intents endpoints, but keeps lab/FMU access using those external JWTs.
call :ReadEnvValue "%ROOT_ENV_FILE%" "ISSUER" current_issuer
if defined current_issuer (
    echo Current ISSUER in .env: !current_issuer!
) else (
    echo Current ISSUER in .env: ^(empty^)
)
set "issuer_value="
set /p "issuer_value=ISSUER [empty->Full, https://full/auth->Lite]: "
if defined issuer_value set "issuer_value=!issuer_value: =!"
call :UpdateEnv "%ROOT_ENV_FILE%" "ISSUER" "!issuer_value!"
if "!issuer_value!"=="" (
    echo    * ISSUER left empty ^(Full mode^).
) else (
    echo    * ISSUER set to: !issuer_value! ^(Lite mode^).
)
echo.

echo FMU Runner Integration
echo ======================
echo Controls whether /fmu and FMU AAS sync routes are active on this gateway.
echo When disabled, OpenResty starts without requiring the fmu-runner container and those routes return 503.
echo FMU runner is started unless FMU_RUNNER_ENABLED is explicitly set to false.
set "current_fmu_runner_enabled="
call :ReadEnvValue "%ROOT_ENV_FILE%" "FMU_RUNNER_ENABLED" current_fmu_runner_enabled
if not defined current_fmu_runner_enabled (
    set "current_fmu_runner_enabled=true"
) else (
    if /i "!current_fmu_runner_enabled!"=="false" (
        set "current_fmu_runner_enabled=false"
    ) else if /i "!current_fmu_runner_enabled!"=="0" (
        set "current_fmu_runner_enabled=false"
    ) else if /i "!current_fmu_runner_enabled!"=="no" (
        set "current_fmu_runner_enabled=false"
    ) else (
        set "current_fmu_runner_enabled=true"
    )
)
if /i "!current_fmu_runner_enabled!"=="true" (
    set "fmu_prompt=Y/n"
) else (
    set "fmu_prompt=y/N"
)
set "enable_fmu_runner="
set /p "enable_fmu_runner=Enable FMU runner integration? [!fmu_prompt!]: "
if defined enable_fmu_runner set "enable_fmu_runner=!enable_fmu_runner: =!"
if /i "!enable_fmu_runner!"=="" (
    if /i "!current_fmu_runner_enabled!"=="true" (
        set "fmu_runner_enabled=1"
    ) else (
        set "fmu_runner_enabled=0"
    )
) else if /i "!enable_fmu_runner!"=="y" (
    set "fmu_runner_enabled=1"
) else if /i "!enable_fmu_runner!"=="yes" (
    set "fmu_runner_enabled=1"
) else if /i "!enable_fmu_runner!"=="true" (
    set "fmu_runner_enabled=1"
) else if "!enable_fmu_runner!"=="1" (
    set "fmu_runner_enabled=1"
) else (
    set "fmu_runner_enabled=0"
)
if "!fmu_runner_enabled!"=="1" (
    call :UpdateEnv "%ROOT_ENV_FILE%" "FMU_RUNNER_ENABLED" "true"
    echo    * FMU runner enabled. /fmu routes are active.
) else (
    call :UpdateEnv "%ROOT_ENV_FILE%" "FMU_RUNNER_ENABLED" "false"
    echo    * FMU runner disabled. Startup will use '--scale fmu-runner=0'.
)
echo.

echo AAS Support ^(Asset Administration Shell^)
echo ==========================================
if not "!issuer_value!"=="" (
    echo Lite Gateway detected - AAS is only available on Full Gateway instances. Skipping.
    call :UpdateEnv "%ROOT_ENV_FILE%" "BASYX_AAS_URL" ""
) else (
    echo AAS enables publishing Digital Twin descriptions ^(IDTA 02006^) for FMUs and physical labs.
    echo   1^) Bundled BaSyx  - Deploy the included BaSyx AAS Server container ^(recommended^)
    echo   2^) External server - Connect to an existing AAS server ^(BaSyx, NOVAAS, etc.^)
    echo   3^) None           - Skip AAS support
    set /p "aas_option=AAS server [1/2/3] (default: 1): "
    if defined aas_option set "aas_option=!aas_option: =!"
    if "!aas_option!"=="2" (
        echo External AAS server selected.
        set /p "external_aas_url=External AAS API base URL ^(e.g. http://192.168.1.10:8081 or https://my-aas.example.com^): "
        if defined external_aas_url set "external_aas_url=!external_aas_url: =!"
        if "!external_aas_url!"=="" (
            echo No URL provided. AAS support disabled.
            call :UpdateEnv "%ROOT_ENV_FILE%" "BASYX_AAS_URL" ""
        ) else (
            echo    * External AAS server: !external_aas_url!
            echo    * Bundled basyx-aas-server / basyx-mongo containers will NOT be started.
            call :UpdateEnv "%ROOT_ENV_FILE%" "BASYX_AAS_URL" "!external_aas_url!"
        )
    ) else if "!aas_option!"=="3" (
        echo AAS support disabled.
        call :UpdateEnv "%ROOT_ENV_FILE%" "BASYX_AAS_URL" ""
    ) else (
        echo Bundled BaSyx selected.
        call :UpdateEnv "%ROOT_ENV_FILE%" "BASYX_AAS_URL" ""
        set "aas_enabled=1"
    )
)
echo.

echo Remote Access (Cloudflare Tunnel)
echo =================================
set "enable_cf="
set /p "enable_cf=Enable Cloudflare Tunnel to expose the gateway without opening inbound ports? (y/N): "
if defined enable_cf set "enable_cf=!enable_cf: =!"
if /i "!enable_cf!"=="y" set "cf_enabled=1"
if /i "!enable_cf!"=="yes" set "cf_enabled=1"

if "!cf_enabled!"=="1" (
    set "cf_token="
    set /p "cf_token=Cloudflare Tunnel token (leave empty to use a Quick Tunnel): "
    if defined cf_token set "cf_token=!cf_token: =!"
    if not "!cf_token!"=="" (
        call :UpdateEnv "%ROOT_ENV_FILE%" "CLOUDFLARE_TUNNEL_TOKEN" "!cf_token!"
    ) else (
        call :UpdateEnv "%ROOT_ENV_FILE%" "CLOUDFLARE_TUNNEL_TOKEN" ""
    )
    if /i "!domain!"=="localhost" (
        echo Cloudflare enabled: switching to standard ports ^(443/80^) for a cleaner public URL.
        call :UpdateEnv "%ROOT_ENV_FILE%" "HTTPS_PORT" "443"
        call :UpdateEnv "%ROOT_ENV_FILE%" "HTTP_PORT" "80"
        call :UpdateEnv "%ROOT_ENV_FILE%" "OPENRESTY_BIND_HTTPS_PORT" "443"
        call :UpdateEnv "%ROOT_ENV_FILE%" "OPENRESTY_BIND_HTTP_PORT" "80"
        set "https_port=443"
        set "http_port=80"
    )
)
if "!cf_enabled!"=="1" (
    if not "!cf_token!"=="" (
        set "cf_profile=cloudflare-token"
        set "cf_service=cloudflared-token"
    ) else (
        set "cf_profile=cloudflare"
        set "cf_service=cloudflared"
    )
)
REM Build complete compose command: base + files + profile
set "compose_full=%compose_cmd% !compose_files!"
if "!cf_enabled!"=="1" set "compose_full=!compose_full! --profile !cf_profile!"
set "compose_up_args=up -d"
if "!fmu_runner_enabled!"=="0" set "compose_up_args=up -d --scale fmu-runner=0"
echo.

echo Ops Worker configuration
echo ------------------------
echo The stack mounts ops-worker/hosts.empty.json by default.
echo To use your own hosts file, set OPS_CONFIG_PATH=./ops-worker/hosts.json before running docker compose.
echo.

if not exist certs mkdir certs
if not exist blockchain-data mkdir blockchain-data
if not exist fmu-data mkdir fmu-data
if not exist fmu-proxy-runtime mkdir fmu-proxy-runtime
if not exist fmu-proxy-runtime\binaries mkdir fmu-proxy-runtime\binaries
if not exist fmu-proxy-runtime\binaries\linux64 mkdir fmu-proxy-runtime\binaries\linux64
if not exist fmu-proxy-runtime\binaries\win64 mkdir fmu-proxy-runtime\binaries\win64
if not exist fmu-proxy-runtime\binaries\darwin64 mkdir fmu-proxy-runtime\binaries\darwin64
if not exist certs\.gitkeep type nul > certs\.gitkeep

echo SSL Certificates
echo ================
if exist certs\fullchain.pem (
    if exist certs\privkey.pem (
        echo SSL certificates found in certs\ - they will be used.
    ) else (
        echo Found certs\fullchain.pem but privkey.pem is missing.
    )
) else (
    echo No SSL certificates in certs\ - OpenResty will auto-generate self-signed certs at startup.
    if /i not "!domain!"=="localhost" (
        echo.
        echo For production, consider adding valid certificates:
        echo   * certs\fullchain.pem ^(certificate chain^)
        echo   * certs\privkey.pem ^(private key^)
        echo Sources: Let's Encrypt ^(certbot^), your CA, or cloud provider.
    )
)
echo.

echo JWT Signing Keys
echo =================
echo blockchain-services will generate keys at runtime if missing (volume ./certs).
if exist certs\private_key.pem (
    echo private_key.pem already exists in certs\ ^(it will be reused^).
) else (
    echo No private_key.pem in certs\; the container will create a new one at startup.
)
echo.
echo Certbot (Let's Encrypt) - optional automation
echo ============================================
set "cb_domains="
set /p "cb_domains=Domains for TLS (comma-separated, leave empty to skip ACME): "
if defined cb_domains set "cb_domains=!cb_domains: =!"
set "cb_email="
set /p "cb_email=Email for ACME (leave empty to skip ACME): "
if defined cb_email set "cb_email=!cb_email: =!"
if not "%cb_domains%"=="" if not "%cb_email%"=="" (
    call :UpdateEnv "%ROOT_ENV_FILE%" "CERTBOT_DOMAINS" "%cb_domains%"
    call :UpdateEnv "%ROOT_ENV_FILE%" "CERTBOT_EMAIL" "%cb_email%"
    echo Configured CERTBOT_DOMAINS and CERTBOT_EMAIL in .env
) else (
    echo Skipped certbot configuration ^(ACME^). Self-signed certificates will be auto-rotated in-container every ~87 days.
)
set "certbot_domains="
set "certbot_email="
call :ReadEnvValue "%ROOT_ENV_FILE%" "CERTBOT_DOMAINS" certbot_domains
call :ReadEnvValue "%ROOT_ENV_FILE%" "CERTBOT_EMAIL" certbot_email
if not "!certbot_domains!"=="" if not "!certbot_email!"=="" set "certbot_enabled=1"
if "!certbot_enabled!"=="1" set "compose_full=!compose_full! --profile certbot"
if "!aas_enabled!"=="1" set "compose_full=!compose_full! --profile aas"
echo.

echo Blockchain Services Configuration
echo ==================================
echo.
rem Provider registration enabled by default (non-interactive).
call :UpdateEnv "%BLOCKCHAIN_ENV_FILE%" "FEATURES_PROVIDERS_ENABLED" "true"
call :UpdateEnv "%BLOCKCHAIN_ENV_FILE%" "FEATURES_PROVIDERS_REGISTRATION_ENABLED" "true"
call :ReadEnvValue "%BLOCKCHAIN_ENV_FILE%" "CONTRACT_ADDRESS" contract_default
if defined contract_default (
    call :UpdateEnv "%BLOCKCHAIN_ENV_FILE%" "CONTRACT_ADDRESS" "!contract_default!"
)

call :ReadEnvValue "%BLOCKCHAIN_ENV_FILE%" "ETHEREUM_SEPOLIA_RPC_URL" sepolia_default
if not defined sepolia_default set "sepolia_default=https://ethereum-sepolia-rpc.publicnode.com,https://0xrpc.io/sep,https://ethereum-sepolia-public.nodies.app"
set /p "sepolia_rpc=Sepolia RPC URLs (comma separated) [!sepolia_default!]: "
if "!sepolia_rpc!"=="" set "sepolia_rpc=!sepolia_default!"
if not "!sepolia_rpc!"=="" (
    call :UpdateEnv "%BLOCKCHAIN_ENV_FILE%" "ETHEREUM_SEPOLIA_RPC_URL" "!sepolia_rpc!"
)

call :ReadEnvValue "%BLOCKCHAIN_ENV_FILE%" "ALLOWED_ORIGINS" origins_default
if not defined origins_default set "origins_default=https://marketplace-decentralabs.vercel.app"
set /p "allowed_origins=Allowed origins for CORS [!origins_default!]: "
if "!allowed_origins!"=="" set "allowed_origins=!origins_default!"
if not "!allowed_origins!"=="" (
    call :UpdateEnv "%BLOCKCHAIN_ENV_FILE%" "ALLOWED_ORIGINS" "!allowed_origins!"
)

call :ReadEnvValue "%BLOCKCHAIN_ENV_FILE%" "MARKETPLACE_PUBLIC_KEY_URL" mpk_default
if not defined mpk_default set "mpk_default=https://marketplace-decentralabs.vercel.app/.well-known/public-key.pem"
set /p "marketplace_pk=Marketplace public key URL [!mpk_default!]: "
if "!marketplace_pk!"=="" set "marketplace_pk=!mpk_default!"
if not "!marketplace_pk!"=="" (
    call :UpdateEnv "%BLOCKCHAIN_ENV_FILE%" "MARKETPLACE_PUBLIC_KEY_URL" "!marketplace_pk!"
)

echo.
echo Institutional Wallet Reminder
echo -----------------------------
echo Wallet creation/import is handled inside the blockchain-services web console.
echo After creating the wallet, update these variables in %BLOCKCHAIN_ENV_FILE%:
echo    * INSTITUTIONAL_WALLET_ADDRESS
echo    * INSTITUTIONAL_WALLET_PASSWORD
echo Wallet data will be persisted in the blockchain-data\ directory.
echo FMU proxy runtime binaries must be copied into fmu-proxy-runtime\binaries\^{linux64^|win64^|darwin64^} before proxy downloads will work.
echo.

echo Next Steps
echo ==========
echo 1. Review and customize %ROOT_ENV_FILE% if needed
echo 2. Ensure SSL certificates and RSA keys are present in certs\
echo 3. Review blockchain settings in %BLOCKCHAIN_ENV_FILE if needed%
echo 4. Run: !compose_full! !compose_up_args!
if "!cf_enabled!"=="1" (
    echo 5. Cloudflare tunnel: check '!compose_full! logs !cf_service!' for the public hostname ^(or your configured tunnel token domain^).
)
if /i "!domain!"=="localhost" (
    echo Access: https://localhost:!https_port! ^(HTTP: !http_port!^)
) else (
    echo Access: https://!domain!
)
set "token_host="
if /i "!domain!"=="localhost" (
    if "!https_port!"=="443" (
        set "token_host=https://localhost"
    ) else (
        set "token_host=https://localhost:!https_port!"
    )
) else (
    if "!https_port!"=="443" (
        set "token_host=https://!domain!"
    ) else (
        set "token_host=https://!domain!:!https_port!"
    )
)
echo    * Admin access token cookie: !token_host!/wallet-dashboard?token=!access_token!
echo    * Lab Manager token cookie: !token_host!/lab-manager?token=!lab_manager_token!
echo    * Guacamole: /guacamole/
echo    * Blockchain Services API: /auth
echo.

set /p "start_services=Do you want to start the services now? (Y/n): "
if /i "!start_services!"=="n" goto skip_start
if /i "!start_services!"=="no" goto skip_start

echo.
echo Building and starting services...
echo This may take several minutes on first run...

if "!reset_mysql_volume!"=="1" (
    call !compose_full! down --remove-orphans -v
) else (
    call !compose_full! down --remove-orphans
)
if errorlevel 1 goto compose_fail
call !compose_full! build --no-cache
if errorlevel 1 (
    echo.
    echo Initial docker build failed.
    echo Attempting automatic BuildKit cache recovery and one retry...
    docker builder prune -af
    if errorlevel 1 echo Warning: docker builder prune failed. Retrying anyway...
    docker buildx prune -af
    if errorlevel 1 echo Warning: docker buildx prune failed. Retrying anyway...
    call !compose_full! build --no-cache
    if errorlevel 1 goto compose_fail
)
call !compose_full! !compose_up_args!
if errorlevel 1 goto compose_fail
goto compose_success

:compose_fail
echo Failed to start services. Check the error messages above.
if "!db_credentials_changed!"=="1" if defined mysql_volume_name if "!reset_mysql_volume!"=="0" (
    echo Hint: Existing MySQL volume likely has old credentials. Run: docker compose down -v
)
goto docker_start_done

:compose_success
echo.
echo Services started successfully!
if /i "!domain!"=="localhost" (
    echo Access your lab at: https://localhost:!https_port!
) else (
    echo Access your lab at: https://!domain!
)
set "token_host="
if /i "!domain!"=="localhost" (
    if "!https_port!"=="443" (
        set "token_host=https://localhost"
    ) else (
        set "token_host=https://localhost:!https_port!"
    )
) else (
    if "!https_port!"=="443" (
        set "token_host=https://!domain!"
    ) else (
        set "token_host=https://!domain!:!https_port!"
    )
)
echo    * Admin access token cookie: !token_host!/wallet-dashboard?token=!access_token!
echo    * Lab Manager token cookie: !token_host!/lab-manager?token=!lab_manager_token!
    echo    * Guacamole: /guacamole/ ^(!guac_admin_user! / !guac_admin_pass!^)
    echo    * Blockchain Services API: /auth
    if "!cf_enabled!"=="1" (
        echo    * Cloudflare tunnel logs ^(hostname^): !compose_full! logs !cf_service!
    )
    echo.
echo To check status: !compose_full! ps
echo To view logs: !compose_full! logs -f
echo.
echo Configuration:
echo    Environment: %ROOT_ENV_FILE%
echo    Blockchain Services Config: %BLOCKCHAIN_ENV_FILE%
echo    Certificates ^& Keys: certs\
echo    Wallet data directory: blockchain-data\
echo.
echo Full version deployment complete!
echo Your blockchain-based authentication system is now running.
goto docker_start_done

:skip_start
echo Configuration complete!
echo.
echo Next steps:
echo 1. Update blockchain contract and wallet values if needed.
echo 2. Run: !compose_full! !compose_up_args!
echo 3. Access your services as listed above.
if "!cf_enabled!"=="1" (
    echo 4. Cloudflare tunnel hostname: !compose_full! logs !cf_service!
)
echo.
echo For more information, see README.md

:docker_start_done
goto end

:end
echo.
pause
goto :eof

:UpdateEnvBoth
call :UpdateEnv "%ROOT_ENV_FILE%" "%~1" "%~2"
if exist "%BLOCKCHAIN_ENV_FILE%" call :UpdateEnv "%BLOCKCHAIN_ENV_FILE%" "%~1" "%~2"
exit /b

:UpdateEnvBlockchainOnly
if exist "%BLOCKCHAIN_ENV_FILE%" call :UpdateEnv "%BLOCKCHAIN_ENV_FILE%" "%~1" "%~2"
exit /b

:UpdateEnv
set "env_file=%~1"
set "env_key=%~2"
set "env_value=%~3"
powershell -NoLogo -NoProfile -Command "& { param($file,$key,$value); if (-not (Test-Path -LiteralPath $file)) { New-Item -Path $file -ItemType File -Force | Out-Null }; $content = @(); if (Test-Path -LiteralPath $file) { $content = @(Get-Content -LiteralPath $file) }; $pattern = '^' + [regex]::Escape($key) + '=.*$'; $replacement = $key + '=' + $value; $updated = $false; for ($i = 0; $i -lt $content.Count; $i++) { if ($content[$i] -match $pattern) { $content[$i] = $replacement; $updated = $true } }; if (-not $updated) { $content += $replacement }; Set-Content -LiteralPath $file -Value $content -Encoding Ascii }" "%env_file%" "%env_key%" "%env_value%"
exit /b

:ReadEnvValue
set "read_file=%~1"
set "read_key=%~2"
set "read_result="
if exist "%read_file%" (
    for /f "usebackq tokens=1* delims==" %%A in (`findstr /B /C:"%read_key%=" "%read_file%"`) do (
        set "read_result=%%B"
        goto read_done
    )
)
:read_done
if "%~3" NEQ "" set "%~3=%read_result%"
exit /b

:GenerateHex
setlocal
set "_bytes=%~1"
if "%_bytes%"=="" set "_bytes=16"
for /f %%H in ('powershell -NoLogo -NoProfile -Command "$bytes = New-Object byte[](%_bytes%); [System.Security.Cryptography.RandomNumberGenerator]::Create().GetBytes($bytes); [BitConverter]::ToString($bytes).Replace('-', '').ToLowerInvariant()"') do set "_hex=%%H"
endlocal & set "%~2=%_hex%"
exit /b

:IsPlaceholderSecret
set "secret_value=%~1"
if /i "%secret_value%"=="" exit /b 0
if /i "%secret_value%"=="CHANGE_ME" exit /b 0
if /i "%secret_value%"=="CHANGEME" exit /b 0
if /i "%secret_value%"=="SECURE_PASSWORD" exit /b 0
if /i "%secret_value%"=="DB_PASSWORD" exit /b 0
if /i "%secret_value%"=="YOUR_PASSWORD" exit /b 0
if /i "%secret_value%"=="PASSWORD" exit /b 0
if /i "%secret_value%"=="TEST" exit /b 0
exit /b 1