# 核心鏡像選擇
FROM node:24-slim

# 1. 基礎依賴補全 (合併了 layer 減少體積)
# 注意：code-server 通過官方安裝腳本安裝，nginx 用於反向代理
RUN apt-get update && apt-get install -y --no-install-recommends \
    git openssh-client build-essential python3 python3-pip \
    g++ make ca-certificates curl wget nginx \
    && rm -rf /var/lib/apt/lists/*

# 1.1. 安裝 code-server（瀏覽器版 VS Code，自帶 terminal）
# 使用官方安裝腳本，自動適配架構和最新版本
RUN curl -fsSL https://code-server.dev/install.sh | sh

# 2. 安裝 GitHub CLI (gh) — 使用官方 APT 倉庫，避免社區版 API 相容性問題
RUN mkdir -p -m 755 /etc/apt/keyrings \
    && out=$(mktemp) && wget -nv -O$out https://cli.github.com/packages/githubcli-archive-keyring.gpg \
    && cat $out | tee /etc/apt/keyrings/githubcli-archive-keyring.gpg > /dev/null \
    && chmod go+r /etc/apt/keyrings/githubcli-archive-keyring.gpg \
    && mkdir -p -m 755 /etc/apt/sources.list.d \
    && echo "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/githubcli-archive-keyring.gpg] https://cli.github.com/packages stable main" \
       | tee /etc/apt/sources.list.d/github-cli.list > /dev/null \
    && apt-get update \
    && apt-get install -y --no-install-recommends gh \
    && rm -rf /var/lib/apt/lists/* \
    && gh --version

# 3. 安裝 HF 數據交互工具
RUN pip3 install --no-cache-dir huggingface_hub --break-system-packages

# 4. 構建環境與 Git 協議優化
RUN update-ca-certificates && \
    git config --global http.sslVerify false && \
    git config --global url."https://github.com/".insteadOf ssh://git@github.com/

# 5. OpenClaw 核心安裝
RUN npm install -g openclaw@latest --unsafe-perm

# 6. 安裝 ClawHub CLI
RUN npm install -g clawhub --unsafe-perm \
    && clawhub -V || true

# 6.2. 安裝 Playwright 完整包（openclaw browser 高級功能必需：snapshot/screenshot/PDF/navigate）
# 注意：必須安裝完整 playwright，而非 playwright-core；openclaw 在其 node_modules 內已含 playwright-core
RUN npm install -g playwright --unsafe-perm

# 6.3. 安裝 Chromium 及系統依賴庫（使用 Playwright 官方腳本，一步搞定 100+ 依賴）
RUN npx playwright install chromium --with-deps

# 7. 安裝釘釘和企業微信插件
RUN openclaw plugins install @dingtalk-real-ai/dingtalk-connector
RUN openclaw plugins install @wecom/wecom-openclaw-plugin

# 7.1. 預安裝微信個人號插件本體（腾讯官方 iLink 協議）
# 注意：插件本體在構建時安裝，掃碼登錄在運行時進行（二維碼會打印到 HF Logs）
RUN openclaw plugins install @tencent-weixin/openclaw-weixin || true

# 8. 環境變量默認值
ENV PORT=7860 \
    OPENCLAW_GATEWAY_MODE=local \
    HOME=/root \
    PYTHONUNBUFFERED=1

# 9. 寫入 Python 同步引擎
RUN cat <<'EOF' > /usr/local/bin/sync.py
import os, sys, tarfile, shutil
from huggingface_hub import HfApi, hf_hub_download
from datetime import datetime, timedelta

api = HfApi()
repo_id = os.getenv("HF_DATASET")
token = os.getenv("HF_TOKEN")

OPENCLAW_LOCAL  = "/root/.openclaw"

# ── 通用工具函數 ──────────────────────────────────────────────────────────────

def _parse_skip_list(env_var):
    """解析逗號分隔的跳過列表，返回規範化路徑集合（支持多級子目錄）。"""
    raw = os.getenv(env_var, "").strip()
    if not raw:
        return set()
    return {s.strip().strip("/") for s in raw.split(",") if s.strip()}

def _is_skipped(rel_path, skip_set):
    """
    判斷 rel_path（相對於 /root/.openclaw 的路徑）是否應跳過。
    支持精確匹配及前綴匹配（即跳過某目錄下所有子路徑）。
    """
    rel = rel_path.strip("/")
    for skip in skip_set:
        if rel == skip or rel.startswith(skip + "/"):
            return True
    return False

def _walk_local(base_dir, skip_set=None):
    """
    遞歸遍歷 base_dir 下所有文件，返回 (local_abs_path, rel_to_base) 列表。
    rel_to_base 是相對於 base_dir 的路徑（不含前導斜杠）。
    skip_set 中的路徑是相對於 OPENCLAW_LOCAL 的路徑。
    """
    results = []
    if not os.path.isdir(base_dir):
        return results
    for dirpath, dirnames, filenames in os.walk(base_dir):
        for fname in filenames:
            abs_path = os.path.join(dirpath, fname)
            rel_to_base = os.path.relpath(abs_path, base_dir)
            if skip_set is not None:
                # 計算相對於 OPENCLAW_LOCAL 的路徑用於 skip 匹配
                rel_to_openclaw = os.path.relpath(abs_path, OPENCLAW_LOCAL)
                if _is_skipped(rel_to_openclaw, skip_set):
                    continue
            results.append((abs_path, rel_to_base))
    return results

# ── restore() ────────────────────────────────────────────────────────────────

def restore():
    if not repo_id or not token:
        print("Skip Restore: HF_DATASET or HF_TOKEN not set")
        return

    # RESTORE_SKIP=all：不恢復任何 tar.gz 內文件到本地，直接返回
    restore_skip_raw = os.getenv("RESTORE_SKIP", "").strip()
    if restore_skip_raw == "all":
        print("Restore skip: RESTORE_SKIP=all, skipping all restore.")
        return

    # ── 方案 B：以 Dataset 中的 initialized.flag 作為觸發條件 ─────────────────
    # 邏輯：
    #   - Dataset 中有 initialized.flag  → 普通 restart → 執行 restore，完成後寫入標記
    #   - Dataset 中无 initialized.flag  → 首次部署 → 跳過 restore
    #   - FORCE_RESTORE=true             → 無視標記，強制執行 restore（用於 factory rebuild）
    #
    # Factory rebuild 場景的兩種觸發方式（任選其一）：
    #   1. 在 HF Space Settings 中設置環境變量 FORCE_RESTORE=true，重建後再刪除此變量
    #   2. 直接在 HF Dataset 網頁上新建 initialized.flag 文件，再點 Restart
    INIT_FLAG = "initialized.flag"
    force_restore = os.getenv("FORCE_RESTORE", "").strip().lower() in ("true", "1", "yes")

    try:
        all_files = list(api.list_repo_files(repo_id=repo_id, repo_type="dataset", token=token))
    except Exception as e:
        print(f"Restore Error (list_repo_files): {e}")
        return

    flag_exists = INIT_FLAG in all_files

    if not flag_exists and not force_restore:
        print("Restore skip: initialized.flag not found, this is first deploy or rebuild.")
        import io
        flag_content = b"initialized\n"
        api.upload_file(
            path_or_fileobj=io.BytesIO(flag_content),
            path_in_repo=INIT_FLAG,
            repo_id=repo_id,
            repo_type="dataset",
            token=token,
            commit_message="Create initialized.flag on first deploy",
        )

        print("initialized.flag created in Dataset.")
        return

    if force_restore:
        print("Restore: FORCE_RESTORE=true, ignoring initialized.flag.")
    else:
        print("Restore: initialized.flag found in Dataset,this is a normal restart. ")

    # 解析跳過列表（用於在解壓時逐條目跳過，不是解壓後刪除）
    skip_set = _parse_skip_list("RESTORE_SKIP")

    try:
        # ── 從 tar.gz 備份恢復 ───────────────────────────────────────────────
        # 備份範圍：/root/.openclaw 下所有文件及文件夾（保持完整目錄結構）
        # tar 包內 arcname 直接對應 .openclaw/ 下的相對路徑，解壓目標為 /root/.openclaw/
        # RESTORE_SKIP：逗號分隔，填寫相對於 /root/.openclaw 的路徑
        # 支持多級子目錄，例如：RESTORE_SKIP=agents/main/sessions,cron,extensions/foo/bar
        # 留空或不設置 = 全部恢復（默認行為）
        # RESTORE_SKIP=all = 跳過全部恢復（已在上方提前返回）
        now = datetime.now()
        for i in range(5):
            day = (now - timedelta(days=i)).strftime("%Y-%m-%d")
            name = f"backup_{day}.tar.gz"
            if name in all_files:
                print(f"Downloading {name}...")
                path = hf_hub_download(repo_id=repo_id, filename=name, repo_type="dataset", token=token)
                os.makedirs(OPENCLAW_LOCAL, exist_ok=True)
                with tarfile.open(path, "r:gz") as tar:
                    for member in tar.getmembers():
                        if _is_skipped(member.name, skip_set):
                            print(f"Restore skip (RESTORE_SKIP): skipping {member.name}")
                            continue
                        tar.extract(member, path=OPENCLAW_LOCAL)
                print(f"Success: Restored from {name}")
                break

        # ── 寫入 initialized.flag 到 Dataset ────────────────────────────────
        # 無論是否找到備份，只要走到這裡就說明應當完成初始化流程，寫入標記
        import io
        flag_content = f"initialized at container startup\n".encode()
        api.upload_file(
            path_or_fileobj=io.BytesIO(flag_content),
            path_in_repo=INIT_FLAG,
            repo_id=repo_id,
            repo_type="dataset",
            token=token,
            commit_message="Set initialized.flag",
        )
        print(f"initialized.flag written to Dataset.")

    except Exception as e:
        print(f"Restore Error: {e}")


# ── backup() ──────────────────────────────────────────────────────────────────

def backup():
    if not repo_id or not token:
        print("Skip Backup: HF_DATASET or HF_TOKEN not set")
        return

    # ── tar.gz 打包備份 ──────────────────────────────────────────────────────
    # 備份範圍：/root/.openclaw 下所有文件及文件夾（完整目錄結構）
    # tar 包解壓目標為 /root/.openclaw/，arcname 對應其內部相對路徑
    #
    # BACKUP_TAR_SKIP：tar.gz 備份時跳過的文件/目錄（相對於 /root/.openclaw）
    # 格式：逗號分隔，支持多級子目錄
    # 例如：BACKUP_TAR_SKIP=agents/main/sessions,cron,extensions/foo/bar
    # 留空或不設置 = 備份全部
    # BACKUP_TAR_SKIP=all = 不執行 tar.gz 備份，不生成任何 tar.gz 備份文件
    backup_tar_skip_raw = os.getenv("BACKUP_TAR_SKIP", "").strip()
    if backup_tar_skip_raw == "all":
        print("Backup tar.gz skip: BACKUP_TAR_SKIP=all, skipping tar.gz backup.")
        return
    try:
        tar_skip_set = _parse_skip_list("BACKUP_TAR_SKIP")
        day = datetime.now().strftime("%Y-%m-%d")
        name = f"backup_{day}.tar.gz"
        with tarfile.open(name, "w:gz") as tar:
            for abs_path, rel_to_base in _walk_local(OPENCLAW_LOCAL, skip_set=tar_skip_set):
                arcname = rel_to_base  # 相對於 .openclaw/
                tar.add(abs_path, arcname=arcname)
        api.upload_file(path_or_fileobj=name, path_in_repo=name, repo_id=repo_id, repo_type="dataset", token=token)
        print(f"Backup {name} Success.")
    except Exception as e:
        print(f"Backup tar.gz Error: {e}")

if __name__ == "__main__":
    if len(sys.argv) > 1 and sys.argv[1] == "backup":
        backup()
    else:
        restore()
EOF

# 10. 寫入 providers JSON 生成腳本
RUN cat <<'EOF' > /usr/local/bin/build_providers.py
import os, json

def get(name):
    return os.environ.get(name, "")

providers = {}
for i in range(1, 6):
    pname   = get(f"provide{i}")
    baseurl = get(f"baseUrl{i}")
    apikey  = get(f"apiKey{i}")
    api     = get(f"provide{i}_api1")
    if not pname or not baseurl or not api:
        continue
    models = []
    for m in range(1, 6):
        mid   = get(f"provide{i}_models_id{m}")
        mname = get(f"provide{i}_models_name{m}")
        inp   = get(f"provide{i}_models_input{m}")
        if not mid:
            continue
        input_val = ["text", "image"] if "image" in inp.lower() else ["text"]
        models.append({
            "id": mid,
            "name": mname,
            "input": input_val,
            "reasoning": False,
            "contextWindow": 2000000,
            "maxTokens": 2000000,
            "cost": {"input": 0, "output": 0, "cacheRead": 0, "cacheWrite": 0}
        })
    if not models:
        continue
    providers[pname] = {
        "baseUrl": baseurl,
        "apiKey": apikey,
        "api": api,
        "models": models
    }

entries = []
for k, v in providers.items():
    block = json.dumps({k: v}, indent=4, ensure_ascii=False)
    inner = block.strip()[1:-1].strip()
    indented = "\n".join("    " + line for line in inner.split("\n"))
    entries.append(indented)

print(",\n".join(entries))
EOF

# 11. 寫入啟動控制邏輯
RUN cat <<'EOF' > /usr/local/bin/start-openclaw
#!/bin/bash
set -e

# ── restore() 觸發條件判斷 ──────────────────────────────────────────────────
# 判定邏輯已移入 sync.py restore() 函數內部（方案 B）：
#   - Dataset 中無 initialized.flag  → 首次部署 → 執行 restore，完成後寫入標記
#   - Dataset 中有 initialized.flag  → 普通 restart → 跳過 restore
#   - FORCE_RESTORE=true             → 強制執行 restore（用於 factory rebuild）
# 此處直接調用，觸發與否由 restore() 自行決定。
python3 /usr/local/bin/sync.py restore

mkdir -p /root/.openclaw/sessions

# provider1 model2~5 fallback 到自身 model1
provide1_models_id2="${provide1_models_id2:-$provide1_models_id1}"
provide1_models_name2="${provide1_models_name2:-$provide1_models_name1}"
provide1_models_api2="${provide1_models_api2:-$provide1_models_api1}"
provide1_models_input2="${provide1_models_input2:-$provide1_models_input1}"
provide1_models_id3="${provide1_models_id3:-$provide1_models_id1}"
provide1_models_name3="${provide1_models_name3:-$provide1_models_name1}"
provide1_models_api3="${provide1_models_api3:-$provide1_models_api1}"
provide1_models_input3="${provide1_models_input3:-$provide1_models_input1}"
provide1_models_id4="${provide1_models_id4:-$provide1_models_id1}"
provide1_models_name4="${provide1_models_name4:-$provide1_models_name1}"
provide1_models_api4="${provide1_models_api4:-$provide1_models_api1}"
provide1_models_input4="${provide1_models_input4:-$provide1_models_input1}"
provide1_models_id5="${provide1_models_id5:-$provide1_models_id1}"
provide1_models_name5="${provide1_models_name5:-$provide1_models_name1}"
provide1_models_api5="${provide1_models_api5:-$provide1_models_api1}"
provide1_models_input5="${provide1_models_input5:-$provide1_models_input1}"

# provider2 model2~5 fallback 到自身 model1
provide2_models_id2="${provide2_models_id2:-$provide2_models_id1}"
provide2_models_name2="${provide2_models_name2:-$provide2_models_name1}"
provide2_models_api2="${provide2_models_api2:-$provide2_models_api1}"
provide2_models_input2="${provide2_models_input2:-$provide2_models_input1}"
provide2_models_id3="${provide2_models_id3:-$provide2_models_id1}"
provide2_models_name3="${provide2_models_name3:-$provide2_models_name1}"
provide2_models_api3="${provide2_models_api3:-$provide2_models_api1}"
provide2_models_input3="${provide2_models_input3:-$provide2_models_input1}"
provide2_models_id4="${provide2_models_id4:-$provide2_models_id1}"
provide2_models_name4="${provide2_models_name4:-$provide2_models_name1}"
provide2_models_api4="${provide2_models_api4:-$provide2_models_api1}"
provide2_models_input4="${provide2_models_input4:-$provide2_models_input1}"
provide2_models_id5="${provide2_models_id5:-$provide2_models_id1}"
provide2_models_name5="${provide2_models_name5:-$provide2_models_name1}"
provide2_models_api5="${provide2_models_api5:-$provide2_models_api1}"
provide2_models_input5="${provide2_models_input5:-$provide2_models_input1}"

# provider3 model2~5 fallback 到自身 model1
provide3_models_id2="${provide3_models_id2:-$provide3_models_id1}"
provide3_models_name2="${provide3_models_name2:-$provide3_models_name1}"
provide3_models_api2="${provide3_models_api2:-$provide3_models_api1}"
provide3_models_input2="${provide3_models_input2:-$provide3_models_input1}"
provide3_models_id3="${provide3_models_id3:-$provide3_models_id1}"
provide3_models_name3="${provide3_models_name3:-$provide3_models_name1}"
provide3_models_api3="${provide3_models_api3:-$provide3_models_api1}"
provide3_models_input3="${provide3_models_input3:-$provide3_models_input1}"
provide3_models_id4="${provide3_models_id4:-$provide3_models_id1}"
provide3_models_name4="${provide3_models_name4:-$provide3_models_name1}"
provide3_models_api4="${provide3_models_api4:-$provide3_models_api1}"
provide3_models_input4="${provide3_models_input4:-$provide3_models_input1}"
provide3_models_id5="${provide3_models_id5:-$provide3_models_id1}"
provide3_models_name5="${provide3_models_name5:-$provide3_models_name1}"
provide3_models_api5="${provide3_models_api5:-$provide3_models_api1}"
provide3_models_input5="${provide3_models_input5:-$provide3_models_input1}"

# provider4 model2~5 fallback 到自身 model1
provide4_models_id2="${provide4_models_id2:-$provide4_models_id1}"
provide4_models_name2="${provide4_models_name2:-$provide4_models_name1}"
provide4_models_api2="${provide4_models_api2:-$provide4_models_api1}"
provide4_models_input2="${provide4_models_input2:-$provide4_models_input1}"
provide4_models_id3="${provide4_models_id3:-$provide4_models_id1}"
provide4_models_name3="${provide4_models_name3:-$provide4_models_name1}"
provide4_models_api3="${provide4_models_api3:-$provide4_models_api1}"
provide4_models_input3="${provide4_models_input3:-$provide4_models_input1}"
provide4_models_id4="${provide4_models_id4:-$provide4_models_id1}"
provide4_models_name4="${provide4_models_name4:-$provide4_models_name1}"
provide4_models_api4="${provide4_models_api4:-$provide4_models_api1}"
provide4_models_input4="${provide4_models_input4:-$provide4_models_input1}"
provide4_models_id5="${provide4_models_id5:-$provide4_models_id1}"
provide4_models_name5="${provide4_models_name5:-$provide4_models_name1}"
provide4_models_api5="${provide4_models_api5:-$provide4_models_api1}"
provide4_models_input5="${provide4_models_input5:-$provide4_models_input1}"

# provider5 model2~5 fallback 到自身 model1
provide5_models_id2="${provide5_models_id2:-$provide5_models_id1}"
provide5_models_name2="${provide5_models_name2:-$provide5_models_name1}"
provide5_models_api2="${provide5_models_api2:-$provide5_models_api1}"
provide5_models_input2="${provide5_models_input2:-$provide5_models_input1}"
provide5_models_id3="${provide5_models_id3:-$provide5_models_id1}"
provide5_models_name3="${provide5_models_name3:-$provide5_models_name1}"
provide5_models_api3="${provide5_models_api3:-$provide5_models_api1}"
provide5_models_input3="${provide5_models_input3:-$provide5_models_input1}"
provide5_models_id4="${provide5_models_id4:-$provide5_models_id1}"
provide5_models_name4="${provide5_models_name4:-$provide5_models_name1}"
provide5_models_api4="${provide5_models_api4:-$provide5_models_api1}"
provide5_models_input4="${provide5_models_input4:-$provide5_models_input1}"
provide5_models_id5="${provide5_models_id5:-$provide5_models_id1}"
provide5_models_name5="${provide5_models_name5:-$provide5_models_name1}"
provide5_models_api5="${provide5_models_api5:-$provide5_models_api1}"
provide5_models_input5="${provide5_models_input5:-$provide5_models_input1}"

# google model2~5 fallback
google_model2="${google_model2:-$google_model1}"
google_model3="${google_model3:-$google_model1}"
google_model4="${google_model4:-$google_model1}"
google_model5="${google_model5:-$google_model1}"

# primary_model / primary_imageModel fallback
primary_model="${primary_model:-${provide1}/${provide1_models_id1}}"
primary_imageModel="${primary_imageModel:-${provide1}/${provide1_models_id1}}"

PROVIDERS_JSON=$(python3 /usr/local/bin/build_providers.py)

# ── 動態 Channel 配置：DINGTALK 變量未設置時只寫入 disabled 配置，避免健康檢查拋出未捕獲異常崩潰進程 ──
if [ -n "${DINGTALK_clientId}" ] && [ -n "${DINGTALK_clientSecret}" ]; then
    DINGTALK_CHANNEL_JSON='"dingtalk-connector": {
      "enabled": true,
      "clientId": "${DINGTALK_clientId}",
      "clientSecret": "${DINGTALK_clientSecret}"
    },'
else
    DINGTALK_CHANNEL_JSON='"dingtalk-connector": {
      "enabled": false
    },'
fi

cat > /root/.openclaw/openclaw.json <<EOT
{
  "models": {
    "mode": "merge",
    "providers": {
${PROVIDERS_JSON}
    }
  },
  "agents": {
    "defaults": {
      "model": {
        "primary": "${primary_model}"
      },
      "imageModel": {
        "primary": "${primary_imageModel}"
      },
      "models": {
        "${provide1}/${provide1_models_id1}": {},
        "${provide1}/${provide1_models_id2}": {},
        "${provide1}/${provide1_models_id3}": {},
        "${provide1}/${provide1_models_id4}": {},
        "${provide1}/${provide1_models_id5}": {},
        "${provide2}/${provide2_models_id1}": {},
        "${provide2}/${provide2_models_id2}": {},
        "${provide2}/${provide2_models_id3}": {},
        "${provide2}/${provide2_models_id4}": {},
        "${provide2}/${provide2_models_id5}": {},
        "${provide3}/${provide3_models_id1}": {},
        "${provide3}/${provide3_models_id2}": {},
        "${provide3}/${provide3_models_id3}": {},
        "${provide3}/${provide3_models_id4}": {},
        "${provide3}/${provide3_models_id5}": {},
        "${provide4}/${provide4_models_id1}": {},
        "${provide4}/${provide4_models_id2}": {},
        "${provide4}/${provide4_models_id3}": {},
        "${provide4}/${provide4_models_id4}": {},
        "${provide4}/${provide4_models_id5}": {},
        "${provide5}/${provide5_models_id1}": {},
        "${provide5}/${provide5_models_id2}": {},
        "${provide5}/${provide5_models_id3}": {},
        "${provide5}/${provide5_models_id4}": {},
        "${provide5}/${provide5_models_id5}": {},
        "google/${google_model1}": {},
        "google/${google_model2}": {},
        "google/${google_model3}": {},
        "google/${google_model4}": {},
        "google/${google_model5}": {}
      }
    }
  },
  "gateway": {
    "mode": "local",
    "bind": "lan",
    "port": ${PORT},
    "trustedProxies": [
      "0.0.0.0/0",
      "10.0.0.0/8",
      "172.16.0.0/12",
      "192.168.0.0/16"
    ],
    "auth": {
      "mode": "token",
      "token": "${OPENCLAW_PASSWORD}"
    },
    "controlUi": {
      "allowInsecureAuth": true,
      "dangerouslyAllowHostHeaderOriginFallback": true
    }
  },
  "cron": {
    "enabled": true,
    "store": "/root/.openclaw/cron/jobs.json",
    "maxConcurrentRuns": 1
  },
  "plugins": {
    "allow": ["dingtalk-connector", "wecom-openclaw-plugin", "openclaw-weixin"],
    "entries": {
      "dingtalk-connector": {
        "enabled": true
      },
      "wecom-openclaw-plugin": {
        "enabled": true
      },
      "openclaw-weixin": {
        "enabled": true
      }
    }
  },
  "skills": {
    "entries": {
      "liang-tavily-search": {
        "enabled": true,
        "apiKey": "${TAVILY_API_KEY}"
      }
    }
  },
  "channels": {
${DINGTALK_CHANNEL_JSON}
    "wecom": {
      "enabled": true,
      "botId": "${WECOM_BOT_ID}",
      "secret": "${WECOM_SECRET}",
      "dmPolicy": "open",
      "groupPolicy": "open",
      "messageType": "markdown",
      "debug": false,
      "allowFrom": ["*"]
    }
  },
  "browser": {
    "enabled": true,
    "headless": true,
    "noSandbox": true,
    "defaultProfile": "openclaw",
    "executablePath": "/root/.cache/ms-playwright/chromium-1208/chrome-linux64/chrome",
    "ssrfPolicy": {
      "dangerouslyAllowPrivateNetwork": true
    }
  }}
EOT

# 生成 cron jobs 定義文件（僅在不存在時寫入，避免覆蓋用戶在運行時添加的 job）
# KEEP_ALIVE_MODEL：指定 keep-alive job 使用的模型，格式為 provider/model-id
# 例如：KEEP_ALIVE_MODEL=google/gemini-flash-lite
# 留空或不設置則由 openclaw 默認模型執行
mkdir -p /root/.openclaw/cron
if [ ! -f /root/.openclaw/cron/jobs.json ]; then
python3 - << 'PYEOF'
import os, json

enable_keep_alive = os.environ.get("ENABLE_KEEP_ALIVE", "false").strip().lower() in ("true", "1", "yes")

if enable_keep_alive:
    payload = {
        "kind": "agentTurn",
        "message": "curl -s -o /dev/null -w '%{http_code}' -X OPTIONS https://heiyu-mo-openclaw.hf.space/",
        "lightContext": True
    }
    keep_alive_model = os.environ.get("KEEP_ALIVE_MODEL", "").strip()
    if keep_alive_model:
        payload["model"] = keep_alive_model

    jobs = {
        "version": 1,
        "jobs": [{
            "id": "0f174587-f3cd-4ea6-90ef-887c845fdea0",
            "name": "keep-alive",
            "enabled": True,
            "createdAtMs": 1772522542926,
            "updatedAtMs": 1772594582735,
            "schedule": {"kind": "every", "everyMs": 3600000, "anchorMs": 1772522542926},
            "sessionTarget": "isolated",
            "wakeMode": "now",
            "payload": payload,
            "delivery": {"mode": "none", "channel": "last"},
            "state": {
                "nextRunAtMs": 1772598143029,
                "lastRunAtMs": 1772594543029,
                "lastRunStatus": "ok",
                "lastStatus": "ok",
                "lastDurationMs": 39706,
                "lastDelivered": False,
                "deliveryStatus": "not-delivered",
                "consecutiveErrors": 0
            }
        }]
    }
    model_info = f"model={keep_alive_model}" if keep_alive_model else "model=default"
    print(f"Cron jobs.json initialized. keep-alive enabled, {model_info}")
else:
    jobs = {"version": 1, "jobs": []}
    print("Cron jobs.json initialized. keep-alive disabled")

with open("/root/.openclaw/cron/jobs.json", "w") as f:
    json.dump(jobs, f, separators=(",", ":"))
PYEOF
else
echo "Cron jobs.json already exists, skipping init."
fi

# 增量備份循環（每 60 分鐘後台運行）
(while true; do sleep 3600; python3 /usr/local/bin/sync.py backup; done) &

# 把 HF Space Secrets 裡的 GEMINI key 寫入 auth-profiles.json
mkdir -p /root/.openclaw/agents/main/agent
python3 - << 'PYEOF'
import os, json

auth_file = "/root/.openclaw/agents/main/agent/auth-profiles.json"

if os.path.exists(auth_file):
    with open(auth_file) as f:
        data = json.load(f)
    for pid, profile in data.get("profiles", {}).items():
        if profile.get("type") == "api_key" and "token" in profile and "key" not in profile:
            profile["key"] = profile.pop("token")
else:
    data = {"profiles": {}, "lastGood": {}}

key_names = [
    ("GEMINI_API_KEY_1", "google:key1"),
    ("GEMINI_API_KEY_2", "google:key2"),
    ("GEMINI_API_KEY_3", "google:key3"),
    ("GEMINI_API_KEY_4", "google:key4"),
    ("GEMINI_API_KEY_5", "google:key5"),
]
first_profile_id = None
for env_name, profile_id in key_names:
    key_val = os.environ.get(env_name, "").strip()
    if not key_val:
        continue
    data["profiles"][profile_id] = {
        "type": "api_key",
        "provider": "google",
        "key": key_val
    }
    if first_profile_id is None:
        first_profile_id = profile_id

if first_profile_id:
    data["lastGood"]["google"] = first_profile_id

with open(auth_file, "w") as f:
    json.dump(data, f, indent=2)

print(f"auth-profiles.json written: {len([k for k in data['profiles'] if k.startswith('google:')])} google key(s)")
PYEOF

openclaw doctor --fix || true

# 安裝 liang-tavily-search skill 到 workspace/skills（最高優先級加載路徑）
# 僅在尚未安裝時執行，避免每次重啟都重複安裝
TAVILY_SKILL_DIR="/root/.openclaw/workspace/skills/liang-tavily-search"
if [ ! -d "$TAVILY_SKILL_DIR" ]; then
    echo "Installing liang-tavily-search skill to workspace/skills..."
    mkdir -p /root/.openclaw/workspace/skills
    # clawhub 在指定 cwd 下安裝到 ./skills，指向 workspace 目錄
    (cd /root/.openclaw/workspace && clawhub install liang-tavily-search) || \
        echo "Warning: liang-tavily-search skill install failed, continuing anyway."
else
    echo "liang-tavily-search skill already installed, skipping."
fi

# 探測 Playwright 下載的 Chromium 實際路徑，並動態修正 openclaw.json 中的 executablePath
# （Playwright 版本升級時 chromium-XXXX 目錄號可能變化）
CHROMIUM_EXEC=$(find /root/.cache/ms-playwright -name "chrome" -path "*/chrome-linux64/chrome" 2>/dev/null | head -1)
if [ -n "$CHROMIUM_EXEC" ]; then
    echo "Detected Chromium at: $CHROMIUM_EXEC"
    # 用 Python 就地修正 executablePath，避免 sed 處理特殊字符問題
    python3 - "$CHROMIUM_EXEC" << 'PYEOF'
import sys, json, os
path = sys.argv[1]
cfg_file = "/root/.openclaw/openclaw.json"
if not os.path.exists(cfg_file):
    print("openclaw.json not found, skip executablePath patch")
    sys.exit(0)
with open(cfg_file) as f:
    data = json.load(f)
browser = data.get("browser", {})
if browser.get("executablePath") != path:
    browser["executablePath"] = path
    data["browser"] = browser
    with open(cfg_file, "w") as f:
        json.dump(data, f, indent=2)
    print(f"executablePath updated to: {path}")
else:
    print("executablePath already correct, no change needed")
PYEOF
else
    echo "Warning: Chromium executable not found under /root/.cache/ms-playwright, browser tool may need manual executablePath config"
fi

# 微信個人號接入：gateway 啟動後後台執行掃碼登錄
# 二維碼通過 qrcode-terminal 打印到 stdout（HF Space Logs 可直接看到）
# 若已登錄過（存在 session），插件會跳過掃碼直接完成；首次部署需在 Logs 裡掃碼
# ENABLE_WEIXIN：設為 false 可跳過（默認啟用）
# 注意：v2.x 插件通過 Gateway WebSocket 接入，需等 gateway 就緒後再執行 login
if [ "${ENABLE_WEIXIN:-true}" != "false" ]; then
    echo "====== WeChat (微信) ClawBot Setup ======"
    echo "If QR code appears below in logs (~30s), scan it with WeChat to bind your account."
    echo "========================================="
    (
        sleep 30  # 等待 gateway 完全啟動
        openclaw channels login --channel openclaw-weixin 2>&1 || \
            echo "WeChat login step finished (or skipped if already configured)."
    ) &
    echo "====== WeChat Login initiated in background ======"
fi

# 後台啟動 Gateway，待其就緒後自動批准最新的設備配對請求
# 解決 "bind: lan" 模式下 browser 工具首次連接需要配對審批的問題
# 注意：新版 openclaw (2026.4.x) approve --latest 已改為 preview-only，
#       必須先 list --json 取得 requestId，再用精確 ID 執行 approve
(
    echo "Waiting for Gateway to become ready before approving device pairs..."
    sleep 45
    for i in $(seq 1 5); do
        REQUEST_ID=$(openclaw devices list --json 2>/dev/null | python3 -c "
import sys, json
try:
    data = json.load(sys.stdin)
    pending = [d for d in data if d.get('status') == 'pending']
    if pending:
        print(pending[-1]['requestId'])
except Exception:
    pass
" 2>/dev/null)
        if [ -n "$REQUEST_ID" ]; then
            if openclaw devices approve "$REQUEST_ID" 2>/dev/null; then
                echo "Approved device pair request: $REQUEST_ID"
                break
            fi
        fi
        echo "No pending device pairs yet (attempt $i/5), retrying in 5s..."
        sleep 5
    done
) &

exec openclaw gateway run --port $PORT
EOF

RUN chmod +x /usr/local/bin/start-openclaw

# ─────────────────────────────────────────────────────────────────────────────
# 12. code-server 按需啟停管理器 + nginx 啟動包裝腳本
# ─────────────────────────────────────────────────────────────────────────────
#
# 【架構說明】
#   HF Space 對外只暴露單一端口 $PORT（默認 7860），因此：
#   - nginx            監聽 $PORT（對外，由本腳本在運行時寫入配置）
#   - openclaw gateway 監聽 7862（內部，通過覆蓋 PORT=7862 傳給 start-openclaw）
#   - code-server      監聽 13337（內部，按需啟停）
#   nginx 路由：/ide/ -> code-server:13337（nginx 剝離 /ide/ 前綴），/ -> gateway:7862
#
# 【按需啟停機制】（無需 nginx Lua 模塊，純 bash + Python 實現）
#
#   核心組件 1：/usr/local/bin/cs-manager（Python 守護進程）
#     - 監聽 Unix socket：/tmp/cs-manager.sock
#     - 接收來自 nginx 的觸發請求（通過 nginx error_page + proxy_pass 機制）
#     - 負責啟動、停止 code-server，維護"最後活躍時間戳"文件
#     - 每分鐘檢查一次，若超過 IDE_IDLE_MINUTES 分鐘無請求，自動 kill code-server
#
#   核心組件 2：nginx 配置（/ide/ location）
#     - 設置 proxy_connect_timeout 極短（2s），code-server 未啟動時快速失敗
#     - 通過 error_page 502/504 -> @ide_wakeup 捕獲連接失敗
#     - @ide_wakeup location：反向代理到 cs-manager，cs-manager 啟動 code-server
#       並返回 HTML 自動刷新頁（前端 5s 後自動重試 /ide/ 直到 code-server 就緒）
#     - 正常請求到達 /ide/ 時，通過 post_action 向 cs-manager 發心跳更新活躍時間戳
#
# 【環境變量】
#   IDE_IDLE_MINUTES      閒置自動關閉時間（分鐘），默認 30
#   CODE_SERVER_PASSWORD  code-server 登錄密碼，默認 changeme123!

# ── 12a. 寫入 cs-manager 守護進程 ───────────────────────────────────────────
RUN cat <<'PYEOF' > /usr/local/bin/cs-manager
#!/usr/bin/env python3
"""
cs-manager: code-server 按需啟停守護進程

監聽 Unix socket，提供兩個 HTTP 端點：
  GET /wakeup    - 觸發啟動 code-server（若未運行），返回"啟動中"等待頁
  GET /heartbeat - 更新最後活躍時間（nginx 每次成功代理 /ide/ 後調用）

後台定時任務：
  每 60 秒檢查一次，若超過 IDE_IDLE_MINUTES 分鐘無 heartbeat，kill code-server
"""

import os, sys, time, signal, subprocess, threading, socket, re
from http.server import HTTPServer, BaseHTTPRequestHandler

# ── 配置 ─────────────────────────────────────────────────────────────────────
SOCK_PATH        = "/tmp/cs-manager.sock"
CS_PORT          = int(os.environ.get("CODE_SERVER_PORT", "13337"))
CS_PASSWORD      = os.environ.get("CODE_SERVER_PASSWORD", "changeme123!")
CS_USER_DATA_DIR = "/root/.code-server"
CS_EXTENSIONS_DIR= "/root/.code-server/extensions"
CS_WORKSPACE     = "/root/.openclaw"
CS_LOG           = "/root/.openclaw/logs/code-server.log"
IDLE_MINUTES     = int(os.environ.get("IDE_IDLE_MINUTES", "30"))
LAST_ACCESS_FILE = "/tmp/cs-last-access"
CS_PID_FILE      = "/tmp/cs-server.pid"
CHECK_INTERVAL   = 60   # 秒

# ── 全局狀態 ──────────────────────────────────────────────────────────────────
_lock    = threading.Lock()
_starting = False   # 正在啟動中，防止並發重複啟動

# ── 工具函數 ──────────────────────────────────────────────────────────────────

def log(msg):
    ts = time.strftime("%Y-%m-%d %H:%M:%S")
    print(f"[cs-manager {ts}] {msg}", flush=True)

def touch_last_access():
    try:
        with open(LAST_ACCESS_FILE, "w") as f:
            f.write(str(time.time()))
        os.utime(LAST_ACCESS_FILE, None)
    except Exception as e:
        log(f"touch_last_access error: {e}")

def get_cs_pid():
    """讀取 PID 文件，返回 code-server PID（若進程存在），否則返回 None"""
    try:
        with open(CS_PID_FILE) as f:
            pid = int(f.read().strip())
        os.kill(pid, 0)   # 探測進程是否存在
        return pid
    except Exception:
        return None

def is_cs_running():
    return get_cs_pid() is not None

def is_cs_port_ready():
    """嘗試 TCP 連接 code-server 端口，確認服務真正可用"""
    try:
        s = socket.create_connection(("127.0.0.1", CS_PORT), timeout=1)
        s.close()
        return True
    except Exception:
        return False

def start_cs():
    """啟動 code-server，非阻塞，返回後進程在後台運行"""
    global _starting
    with _lock:
        if _starting or is_cs_running():
            return
        _starting = True

    try:
        log(f"Starting code-server on port {CS_PORT}...")
        os.makedirs(os.path.dirname(CS_LOG), exist_ok=True)
        os.makedirs(CS_USER_DATA_DIR, exist_ok=True)

        # 寫入 code-server config.yaml
        cfg_dir = "/root/.config/code-server"
        os.makedirs(cfg_dir, exist_ok=True)
        with open(os.path.join(cfg_dir, "config.yaml"), "w") as f:
            f.write(f"bind-addr: 127.0.0.1:{CS_PORT}\n")
            f.write(f"auth: password\n")
            f.write(f"password: {CS_PASSWORD}\n")
            f.write(f"cert: false\n")

        env = os.environ.copy()
        env.pop("PORT", None)   # 防止 code-server 讀取 PORT=7860 覆蓋端口

        log_file = open(CS_LOG, "a")
        proc = subprocess.Popen(
            [
                "code-server",
                "--disable-telemetry",
                "--disable-update-check",
                f"--user-data-dir={CS_USER_DATA_DIR}",
                f"--extensions-dir={CS_EXTENSIONS_DIR}",
                CS_WORKSPACE,
            ],
            stdout=log_file,
            stderr=log_file,
            env=env,
            start_new_session=True,   # 脫離當前進程組，避免隨父進程終止
        )

        # 寫入 PID 文件
        with open(CS_PID_FILE, "w") as f:
            f.write(str(proc.pid))
        log(f"code-server started, PID={proc.pid}")
        touch_last_access()
    except Exception as e:
        log(f"start_cs error: {e}")
    finally:
        with _lock:
            _starting = False

def stop_cs():
    """終止 code-server 進程"""
    pid = get_cs_pid()
    if pid is None:
        log("stop_cs: code-server not running, skip")
        return
    try:
        os.kill(pid, signal.SIGTERM)
        log(f"code-server (PID={pid}) terminated (SIGTERM)")
    except Exception as e:
        log(f"stop_cs error: {e}")
    try:
        os.remove(CS_PID_FILE)
    except Exception:
        pass

# ── 閒置檢測定時器 ────────────────────────────────────────────────────────────

def idle_checker():
    while True:
        time.sleep(CHECK_INTERVAL)
        try:
            if not is_cs_running():
                continue
            try:
                mtime = os.path.getmtime(LAST_ACCESS_FILE)
            except FileNotFoundError:
                mtime = 0
            idle_secs = time.time() - mtime
            idle_mins  = idle_secs / 60
            if idle_mins >= IDLE_MINUTES:
                log(f"Idle for {idle_mins:.1f} min (threshold={IDLE_MINUTES} min), stopping code-server...")
                stop_cs()
            else:
                remaining = IDLE_MINUTES - idle_mins
                log(f"code-server running, idle {idle_mins:.1f}/{IDLE_MINUTES} min (auto-stop in {remaining:.1f} min)")
        except Exception as e:
            log(f"idle_checker error: {e}")

# ── HTTP 請求處理 ─────────────────────────────────────────────────────────────

WAKEUP_HTML = """\
<!DOCTYPE html>
<html lang="zh">
<head>
<meta charset="utf-8">
<meta http-equiv="refresh" content="5;url=/ide/">
<title>IDE 啟動中...</title>
<style>
  body {{ font-family: sans-serif; display:flex; align-items:center;
          justify-content:center; height:100vh; margin:0; background:#1e1e1e; color:#ccc; }}
  .box {{ text-align:center; }}
  .spinner {{ width:48px; height:48px; border:5px solid #555;
              border-top-color:#0078d4; border-radius:50%;
              animation:spin 1s linear infinite; margin:0 auto 20px; }}
  @keyframes spin {{ to {{ transform:rotate(360deg) }} }}
  p {{ margin:6px 0; }}
  small {{ color:#888; }}
</style>
</head>
<body>
<div class="box">
  <div class="spinner"></div>
  <p>VS Code IDE 正在啟動，請稍候...</p>
  <p><small>頁面將在 5 秒後自動重試，或手動 <a href="/ide/" style="color:#0078d4">刷新</a></small></p>
</div>
</body>
</html>
"""

class CSManagerHandler(BaseHTTPRequestHandler):
    def log_message(self, fmt, *args):
        pass  # 靜默 access log，避免刷日誌

    def do_GET(self):
        if self.path.startswith("/wakeup"):
            self._handle_wakeup()
        elif self.path.startswith("/heartbeat"):
            self._handle_heartbeat()
        else:
            self.send_response(404)
            self.end_headers()

    def _handle_wakeup(self):
        """
        nginx @ide_wakeup 調用此端點。
        若 code-server 已在運行（端口可達），返回 302 重定向回 /ide/。
        若未運行，觸發後台啟動，返回 200 "啟動中"等待頁。
        """
        if is_cs_port_ready():
            # code-server 已就緒，302 重定向回 /ide/
            touch_last_access()
            self.send_response(302)
            self.send_header("Location", "/ide/")
            self.end_headers()
        else:
            # 觸發啟動（後台），返回等待頁
            if not is_cs_running():
                t = threading.Thread(target=start_cs, daemon=True)
                t.start()
            html = WAKEUP_HTML.encode()
            self.send_response(200)
            self.send_header("Content-Type", "text/html; charset=utf-8")
            self.send_header("Content-Length", str(len(html)))
            self.end_headers()
            self.wfile.write(html)

    def _handle_heartbeat(self):
        """nginx 成功代理 /ide/ 請求後調用，更新活躍時間"""
        touch_last_access()
        self.send_response(204)
        self.end_headers()


class UnixSocketHTTPServer(HTTPServer):
    """在 Unix domain socket 上監聽的 HTTPServer"""
    address_family = socket.AF_UNIX

    def server_bind(self):
        try:
            os.unlink(self.server_address)
        except FileNotFoundError:
            pass
        super().server_bind()
        os.chmod(self.server_address, 0o666)


# ── 主入口 ────────────────────────────────────────────────────────────────────

if __name__ == "__main__":
    log(f"cs-manager starting (idle_timeout={IDLE_MINUTES} min, cs_port={CS_PORT})")
    log(f"Listening on Unix socket: {SOCK_PATH}")

    # 啟動閒置檢測後台線程
    t = threading.Thread(target=idle_checker, daemon=True)
    t.start()

    # 啟動 HTTP 服務（Unix socket）
    server = UnixSocketHTTPServer(SOCK_PATH, CSManagerHandler)
    try:
        server.serve_forever()
    except KeyboardInterrupt:
        log("cs-manager shutting down")
        server.server_close()
PYEOF

RUN chmod +x /usr/local/bin/cs-manager

# ── 12b. 寫入主啟動腳本 ──────────────────────────────────────────────────────
RUN cat <<'EOF' > /usr/local/bin/start-openclaw-code-server
#!/bin/bash
set -e

# HuggingFace Space 對外端口（由 HF 平台注入，默認 7860）
LISTEN_PORT="${PORT:-7860}"
# openclaw gateway 內部端口（避免與 nginx 對外端口衝突）
GATEWAY_PORT=7862
# code-server 內部端口
CODE_SERVER_PORT="${CODE_SERVER_PORT:-13337}"
# code-server 閒置自動關閉時間（分鐘），默認 30 分鐘
IDE_IDLE_MINUTES="${IDE_IDLE_MINUTES:-30}"

export CODE_SERVER_PORT IDE_IDLE_MINUTES
export CODE_SERVER_PASSWORD="${CODE_SERVER_PASSWORD:-changeme123!}"

echo "=== start-openclaw-code-server (按需啟停模式) ==="
echo "External listen port     : ${LISTEN_PORT}"
echo "Gateway internal port    : ${GATEWAY_PORT}"
echo "code-server internal port: ${CODE_SERVER_PORT}"
echo "IDE idle auto-stop       : ${IDE_IDLE_MINUTES} min"
echo "code-server starts on first /ide/ visit (NOT at boot)"

# ── 1. 後台啟動原版 start-openclaw（覆蓋 PORT 使 gateway 監聽內部端口）──────
# start-openclaw 內所有邏輯（恢復備份、寫配置、後台備份循環、微信登錄、設備配對審批等）
# 全部照常執行，僅 gateway 監聽端口從 $PORT 改為內部 $GATEWAY_PORT
mkdir -p /root/.openclaw/logs
PORT=${GATEWAY_PORT} bash /usr/local/bin/start-openclaw 2>&1 | tee /root/.openclaw/logs/openclaw-main.log &
echo "start-openclaw launched in background (gateway port=${GATEWAY_PORT})"

# ── 2. 啟動 cs-manager 守護進程（後台）───────────────────────────────────────
# cs-manager 監聽 Unix socket，負責 code-server 的按需啟動和閒置關閉
python3 /usr/local/bin/cs-manager 2>&1 | tee /root/.openclaw/logs/cs-manager.log &
echo "cs-manager launched in background"

# 等待 cs-manager socket 就緒（最多 10 秒）
for i in $(seq 1 20); do
  if [ -S /tmp/cs-manager.sock ]; then
    echo "cs-manager socket ready"
    break
  fi
  sleep 0.5
done

# ── 3. 等待 gateway 內部就緒（最多 120 秒）───────────────────────────────────
echo "Waiting for openclaw gateway on internal port ${GATEWAY_PORT}..."
for i in $(seq 1 60); do
  if curl -fsS http://127.0.0.1:${GATEWAY_PORT}/ >/dev/null 2>&1; then
    echo "Gateway is up after $((i * 2))s."
    break
  fi
  sleep 2
done

# ── 4. 生成 nginx 配置並啟動 ─────────────────────────────────────────────────
#
# 按需啟停工作原理：
#
#   [正常訪問 /ide/（code-server 已運行）]
#     瀏覽器 → nginx /ide/ → proxy_pass code-server:13337（直接成功）
#             → post_action /ide-heartbeat/ → cs-manager /heartbeat（更新時間戳）
#
#   [首次訪問 /ide/（code-server 未運行）]
#     瀏覽器 → nginx /ide/ → proxy_pass code-server:13337（連接失敗，502）
#             → error_page 502 504 @ide_wakeup
#             → nginx @ide_wakeup → proxy_pass cs-manager /wakeup（通過 unix socket）
#             → cs-manager 後台啟動 code-server，返回"啟動中"HTML（5s 自動刷新）
#     5秒後瀏覽器自動重試 /ide/ → 若 code-server 已就緒則正常進入
#
#   [閒置超時自動關閉]
#     cs-manager 後台每 60s 檢查 /tmp/cs-last-access 的 mtime
#     若超過 IDE_IDLE_MINUTES 分鐘未更新，SIGTERM 殺掉 code-server 進程
#
# nginx 配置注意：
#   nginx 配置文件不支持 bash 變量語法（${}），
#   所有動態端口值通過 sed 替換佔位符在運行時寫入。
#   nginx 嚴格禁止在命名 location（@xxx）的 proxy_pass 中帶 URI 路徑部分，
#   使用 rewrite 指令解決（rewrite ^ /target break; proxy_pass http://upstream;）。

rm -f /etc/nginx/sites-enabled/default /etc/nginx/conf.d/default.conf

cat > /etc/nginx/conf.d/openclaw-ide.conf <<NGINX
# cs-manager Unix socket upstream（按需啟停控制器）
upstream cs_manager {
    server unix:/tmp/cs-manager.sock;
}

server {
    listen PLACEHOLDER_LISTEN_PORT;
    server_name _;
    client_max_body_size 100M;

    access_log /dev/stdout;
    error_log  /dev/stderr warn;

    # 關鍵：Cloudflare 做 SSL 終結，nginx 只收到 http 請求。
    # 若 nginx 生成絕對 URL（如 301/302 Location），會帶上 http://host:PORT，
    # 導致瀏覽器被重定向到帶明確端口的 http URL，被 Cloudflare 拒絕（400 Bad Request）。
    absolute_redirect off;
    port_in_redirect off;

    # ── /ide/ 主 location（按需啟停核心）────────────────────────────────────
    # proxy_connect_timeout 設為 2s：code-server 未運行時快速失敗觸發 error_page
    # post_action：每次成功代理後向 cs-manager 發心跳，更新活躍時間戳
    location /ide/ {
        proxy_pass http://127.0.0.1:PLACEHOLDER_CODE_SERVER_PORT/;
        proxy_http_version 1.1;
        proxy_set_header Host \$host;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_redirect / /ide/;
        proxy_read_timeout 86400;
        # 快速檢測 code-server 是否在線（2s 即失敗，觸發 error_page）
        proxy_connect_timeout 2s;
        # code-server 未運行時，502/504 觸發喚醒流程
        error_page 502 504 @ide_wakeup;
        # 成功代理後，後台子請求更新心跳時間戳
        post_action /ide-heartbeat/;
    }

    # ── 心跳端點（供 post_action 調用，更新活躍時間）────────────────────────
    # internal 指令確保此 location 只能由 nginx 內部請求訪問，外部瀏覽器無法直接訪問
    # rewrite 將路徑改寫為 /heartbeat，再用不帶路徑的 proxy_pass（nginx 硬限制）
    location /ide-heartbeat/ {
        internal;
        rewrite ^ /heartbeat break;
        proxy_pass http://cs_manager;
        proxy_connect_timeout 1s;
        proxy_read_timeout 2s;
    }

    # ── 喚醒 location（code-server 未運行時的 fallback）────────────────────
    # 命名 location（@前綴）只能由 error_page 跳轉，不能直接 URL 訪問
    # rewrite 將路徑改寫為 /wakeup，再用不帶路徑的 proxy_pass（nginx 硬限制）
    location @ide_wakeup {
        rewrite ^ /wakeup break;
        proxy_pass http://cs_manager;
        proxy_http_version 1.1;
        proxy_set_header Host \$host;
        proxy_connect_timeout 5s;
        proxy_read_timeout 30s;
    }

    # ── 其餘請求：代理到 openclaw gateway ────────────────────────────────────
    location / {
        proxy_pass http://127.0.0.1:PLACEHOLDER_GATEWAY_PORT/;
        proxy_http_version 1.1;
        proxy_set_header Host \$host;
        proxy_set_header Upgrade \$http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto \$scheme;
        proxy_read_timeout 86400;
    }
}
NGINX

sed -i \
  "s/PLACEHOLDER_LISTEN_PORT/${LISTEN_PORT}/g;
   s/PLACEHOLDER_CODE_SERVER_PORT/${CODE_SERVER_PORT}/g;
   s/PLACEHOLDER_GATEWAY_PORT/${GATEWAY_PORT}/g" \
  /etc/nginx/conf.d/openclaw-ide.conf

echo "nginx config:"
cat /etc/nginx/conf.d/openclaw-ide.conf

nginx -t
echo "Starting nginx (foreground)..."
exec nginx -g 'daemon off; error_log /dev/stderr warn;'
EOF

RUN chmod +x /usr/local/bin/start-openclaw-code-server

EXPOSE 7860

# 訪問方式（Space 啟動後）：
#   主界面（OpenClaw）: https://<your-space>.hf.space/
#   IDE（VS Code）    : https://<your-space>.hf.space/ide/
#                       首次訪問時自動啟動 code-server（約 10~20 秒）
#                       密碼由環境變量 CODE_SERVER_PASSWORD 控制，默認：changeme123!
#                       閒置 IDE_IDLE_MINUTES 分鐘（默認 30）無訪問後自動關閉
#
# 環境變量：
#   CODE_SERVER_PASSWORD  IDE 登錄密碼（建議在 HF Space Secrets 中設置）
#   IDE_IDLE_MINUTES      IDE 閒置自動關閉時間（分鐘），默認 30
CMD ["/usr/local/bin/start-openclaw-code-server"]