package harness

import (
	"crypto/ed25519"
	"crypto/sha256"
	"crypto/x509"
	"encoding/pem"
	"os"
	"path/filepath"
	"testing"

	"github.com/alicebob/miniredis/v2"
)

// StartMiniredis starts one isolated Redis-compatible in-memory server and
// registers automatic cleanup.
func StartMiniredis(t testing.TB) *miniredis.Miniredis {
	t.Helper()

	server, err := miniredis.Run()
	if err != nil {
		t.Fatalf("start miniredis: %v", err)
	}

	t.Cleanup(server.Close)
	return server
}

// WriteResponseSignerPEM writes one deterministic PKCS#8 PEM-encoded Ed25519
// private key for gateway response signing and returns the file path plus the
// matching public key.
func WriteResponseSignerPEM(t testing.TB, label string) (string, ed25519.PublicKey) {
	t.Helper()

	seed := sha256.Sum256([]byte("galaxy-integration-response-signer-" + label))
	privateKey := ed25519.NewKeyFromSeed(seed[:])

	encoded, err := x509.MarshalPKCS8PrivateKey(privateKey)
	if err != nil {
		t.Fatalf("marshal response signer private key: %v", err)
	}

	pemBytes := pem.EncodeToMemory(&pem.Block{
		Type:  "PRIVATE KEY",
		Bytes: encoded,
	})

	path := filepath.Join(t.TempDir(), "response-signer.pem")
	if err := os.WriteFile(path, pemBytes, 0o600); err != nil {
		t.Fatalf("write response signer private key: %v", err)
	}

	return path, privateKey.Public().(ed25519.PublicKey)
}