#!/bin/sh
# Veladon MCP PII Redactor — one-pipe installer
#
# Usage (one line):
#
#     curl -sSf https://veladon.grindworks.ai/install.sh | sh
#
# Verifies SHA-256 before running `npm install -g` so you can pipe to
# sh without worrying that the tarball was swapped in transit.
#
# What it does:
#   1. Download the v0.1.0 tarball from veladon.grindworks.ai
#   2. Verify SHA-256 matches the hardcoded expected hash in this file
#   3. `npm install -g` from the local tarball
#   4. Print next-step wiring instructions
#
# What it does NOT do:
#   - Add anything to your shell profile
#   - Call home or report telemetry
#   - Modify your ~/.claude/config.json — that's a deliberate step you do
#     after reading the docs
#
# Source: https://github.com/grindworks-studio/veladon-mcp (coming soon)
# Docs: https://veladon.grindworks.ai/mcp

set -eu

VERSION="0.1.0"
PKG_NAME="veladon-mcp-pii-redactor"
TGZ_URL="https://veladon.grindworks.ai/${PKG_NAME}-${VERSION}.tgz"
EXPECTED_SHA256="3470a7c27650d9233f00245fd9da09d20665094659edfc63ba30199cb72c6f3b"

# Nice colored output if we're on a terminal
if [ -t 1 ] && tput setaf 1 >/dev/null 2>&1; then
  GREEN=$(tput setaf 2)
  CYAN=$(tput setaf 6)
  RED=$(tput setaf 1)
  DIM=$(tput dim)
  RESET=$(tput sgr0)
else
  GREEN=""
  CYAN=""
  RED=""
  DIM=""
  RESET=""
fi

say() { printf "%s%s%s\n" "${CYAN}" "$1" "${RESET}"; }
ok()  { printf "%s\xe2\x9c\x93 %s%s\n" "${GREEN}" "$1" "${RESET}"; }
die() { printf "%s%s%s\n" "${RED}" "$1" "${RESET}" >&2; exit 1; }
dim() { printf "%s%s%s\n" "${DIM}" "$1" "${RESET}"; }

# Pick a SHA-256 tool that's available (macOS ships shasum, Linux often ships sha256sum)
if command -v shasum >/dev/null 2>&1; then
  SHA_CMD="shasum -a 256"
elif command -v sha256sum >/dev/null 2>&1; then
  SHA_CMD="sha256sum"
else
  die "neither shasum nor sha256sum available — install one and retry"
fi

command -v npm >/dev/null 2>&1 || die "npm is required (install Node.js 20+ first)"
command -v curl >/dev/null 2>&1 || die "curl is required"

NODE_MAJOR=$(node -v 2>/dev/null | sed -E 's/^v([0-9]+).*/\1/')
if [ -z "${NODE_MAJOR:-}" ] || [ "${NODE_MAJOR:-0}" -lt 20 ]; then
  die "Node 20+ required (found ${NODE_MAJOR:-none}). See https://nodejs.org/"
fi

TMPDIR=$(mktemp -d 2>/dev/null || mktemp -d -t veladon)
trap 'rm -rf "$TMPDIR"' EXIT INT HUP TERM

say "-> Downloading Veladon MCP v${VERSION}"
dim "   ${TGZ_URL}"
curl -sSfL "$TGZ_URL" -o "$TMPDIR/pkg.tgz" || die "download failed"

ACTUAL_SHA256=$($SHA_CMD "$TMPDIR/pkg.tgz" | awk '{print $1}')
if [ "$ACTUAL_SHA256" != "$EXPECTED_SHA256" ]; then
  printf "%sFATAL: checksum mismatch%s\n" "${RED}" "${RESET}" >&2
  printf "       expected: %s\n" "$EXPECTED_SHA256" >&2
  printf "       got:      %s\n" "$ACTUAL_SHA256" >&2
  die "aborting install"
fi
ok "Checksum verified ($(printf %s "$ACTUAL_SHA256" | cut -c1-16)...)"

say "-> Installing globally via npm"
npm install -g "$TMPDIR/pkg.tgz" >/dev/null 2>&1 || die "npm install failed; try running with sudo or use nvm"

ok "Installed ${PKG_NAME} v${VERSION}"
echo ""
say "next steps:"
cat <<'NEXT'

  (also available on the public npm registry:
     npm install -g veladon-mcp-pii-redactor
     npx -y veladon-mcp-pii-redactor)

  1. Wire into Claude Code  →  ~/.claude/config.json
  2. Or wire into Cursor    →  ~/.cursor/mcp.json

     {
       "mcpServers": {
         "veladon-redactor": {
           "command": "npx",
           "args": ["-y", "veladon-mcp-pii-redactor"]
         }
       }
     }

  3. Restart your agent. The redact_prompt tool will appear.

  docs:       https://veladon.grindworks.ai/mcp
  try first:  https://veladon.grindworks.ai/try  (in-browser demo)
  source:     git@github.com:grindworks-studio/veladon-mcp  (coming soon)
  npm:        https://www.npmjs.com/package/veladon-mcp-pii-redactor

NEXT