Makefile

.PHONY: menu help setup configure deploy test test-local test-docker test-security mcp \
        docker-up docker-up-prod docker-start docker-down docker-down-all docker-restart docker-restart-apis docker-restart-data docker-build docker-logs docker-ps docker-ps-all docker-clean docker-clean-all \
        vault-generate-env vault-migrate vault-sync ssl-check \
        github-check github-ensure \
        install update manage login recover-admin rotate-secrets profile demo warmup demo-clean demo-status \
        docker-deploy docker-deploy-infra docker-deploy-apis docker-deploy-llm docker-deploy-frontend \
        deploy-user-app undeploy-user-app list-user-apps user-app-logs user-app-status \
        mlx-status mlx-start mlx-stop mlx-restart mlx-media-status mlx-media-start mlx-media-start-all mlx-media-stop mlx-media-restart mlx-transcribe mlx-image host-agent-status host-agent-start host-agent-stop host-agent-restart \
        build-images k8s-deploy k8s-sync k8s-build k8s-apply k8s-status k8s-delete k8s-secrets k8s-logs \
        k8s-gpu-up k8s-gpu-down k8s-gpu-status k8s-gpu-window \
        spot-check spot-swap spot-price \
        connect disconnect k8s-connect-status \
        build-manager \
        busibox-build busibox

# Default target - interactive menu with health check
.DEFAULT_GOAL := menu

# ============================================================================
# VARIABLES
# ============================================================================
# Environment: development, demo, staging, production
#   development - Docker dev mode (volume mounts, npm-linked busibox-app)
#   demo        - Docker prod mode (for demos/presentations)
#   staging     - Docker or Proxmox (10.96.201.x network)
#   production  - Docker or Proxmox (10.96.200.x network)
#
# Environment is read from the active deployment profile (.busibox/profiles.json)
# Falls back to development if no profile is configured
PROFILE_ENV := $(shell python3 -c "import json; d=json.load(open('.busibox/profiles.json')); p=d['profiles'][d['active']]; print(p['environment'])" 2>/dev/null)
ENV ?= $(if $(PROFILE_ENV),$(PROFILE_ENV),development)

# ============================================================================
# MANAGER CONTAINER
# ============================================================================
# When USE_MANAGER=1 (default), orchestration commands (install, manage, menu)
# run inside an ephemeral Docker container with guaranteed dependencies
# (Ansible, Docker CLI, vault tools, SSH). Set USE_MANAGER=0 to run directly
# on the host (legacy behavior, requires host-installed tools).
#
# Auto-detection: if Docker is not available, falls back to host execution.
DOCKER_AVAILABLE := $(shell docker info >/dev/null 2>&1 && echo 1 || echo 0)
USE_MANAGER ?= $(DOCKER_AVAILABLE)

# Manager runner script -- handles image build, volume mounts, vault files
MANAGER_RUN = bash scripts/make/manager-run.sh
MANAGER_RUN_IT = bash scripts/make/manager-run.sh --interactive

# Build the manager image (explicit rebuild)
build-manager:
	@echo "Building manager container image..."
	@docker build -t busibox-manager:latest -f provision/docker/manager.Dockerfile provision/docker
	@echo "Manager image built."

# Service for targeted operations (comma-separated for multiple)
SERVICE ?=

# Action for service management (start, stop, restart, logs, redeploy, status)
ACTION ?=

# Inventory (maps to environment for Ansible)
# INV=staging maps to inventory/staging, INV=production maps to inventory/production
INV ?= staging

# Test mode: container (on deployed containers) or local (on your machine)
MODE ?= container

# Additional args (e.g., pytest args)
ARGS ?=

# Test listing options
CATEGORY ?=
DETAIL ?=

# Confirmation flag for destructive operations (milvus-reset)
CONFIRM ?=

# FAST mode: skip slow/gpu tests (default for local testing)
FAST ?=

# WORKER mode: start local data worker for integration tests
WORKER ?=

# Docker compose configuration
# Base: infrastructure and Python APIs
# Overlay selection based on environment:
#   development -> COMPOSE_DEV (volume mounts, npm link)
#   demo/staging/production -> COMPOSE_GITHUB (built from GitHub)
COMPOSE_FILE := docker-compose.yml
COMPOSE_DEV_MONOREPO := docker-compose.local-dev.yml
COMPOSE_GITHUB := docker-compose.github.yml

# Environment-prefixed files (allows multiple installations to coexist)
# ENV=demo        -> .env.demo, .busibox-state-demo
# ENV=development -> .env.dev, .busibox-state-dev
# ENV=staging     -> .env.staging, .busibox-state-staging
# ENV=production  -> .env.prod, .busibox-state-prod
ENV_PREFIX = $(if $(filter demo,$(ENV)),demo,$(if $(filter development,$(ENV)),dev,$(if $(filter staging,$(ENV)),staging,$(if $(filter production,$(ENV)),prod,dev))))
ENV_FILE := .env.$(ENV_PREFIX)
STATE_FILE := .busibox-state-$(ENV_PREFIX)

# Read DEV_APPS_DIR from state file if it exists
# This is set via: make configure -> Docker Configuration -> Configure Dev Apps Directory
DEV_APPS_DIR := $(shell grep -s '^DEV_APPS_DIR=' $(STATE_FILE) 2>/dev/null | cut -d'=' -f2- | tr -d '"' || echo "")
export DEV_APPS_DIR

# Core Apps Mode: controls whether core-apps run with Turbopack hot-reload (dev) or
# as memory-efficient standalone builds (prod). Default is prod to minimize resource usage.
# Override via environment variable or toggle via: make manage SERVICE=core-apps (option 8)
# This is set via: make manage -> core-apps -> Switch mode (or CORE_APPS_MODE=dev make docker-up)
CORE_APPS_MODE ?= $(shell grep -s '^CORE_APPS_MODE=' $(STATE_FILE) 2>/dev/null | cut -d'=' -f2- | tr -d '"' || echo "prod")
export CORE_APPS_MODE

# Core Apps Source: always monorepo (busibox-frontend).
# Legacy separate repos are no longer supported.
CORE_APPS_SOURCE := monorepo
export CORE_APPS_SOURCE

# Host path for Docker volume mounts.  The manager container mounts the repo
# at its real host path, so $(PWD) is always correct.  BUSIBOX_HOST_PATH is
# also exported by manager-run.sh as a convenience.
BUSIBOX_HOST_PATH ?= $(PWD)

# Dev overlay always uses monorepo
COMPOSE_DEV = $(COMPOSE_DEV_MONOREPO)

# Automatically select overlay based on environment
# development uses dev overlay, everything else uses github overlay
COMPOSE_OVERLAY = $(if $(filter development,$(ENV)),$(COMPOSE_DEV),$(COMPOSE_GITHUB))

# ============================================================================
# DOCKER PROJECT NAMING
# ============================================================================
# Each environment gets its own isolated Docker project (stack) with prefixed containers:
#   - demo-busibox    -> demo-postgres, demo-authz-api, etc.
#   - dev-busibox     -> dev-postgres, dev-authz-api, etc.
#   - staging-busibox -> staging-postgres, staging-authz-api, etc.
#   - prod-busibox    -> prod-postgres, prod-authz-api, etc.
#
# This allows multiple environments to coexist on the same Docker host.

# Map ENV to container prefix
CONTAINER_PREFIX = $(if $(filter demo,$(ENV)),demo,$(if $(filter development,$(ENV)),dev,$(if $(filter staging,$(ENV)),staging,$(if $(filter production,$(ENV)),prod,dev))))

# Compose project name (stack name)
COMPOSE_PROJECT = $(CONTAINER_PREFIX)-busibox

# Export for docker-compose and scripts
export COMPOSE_PROJECT_NAME = $(COMPOSE_PROJECT)
export CONTAINER_PREFIX
export BUSIBOX_ENV = $(ENV)
export GITHUB_AUTH_TOKEN

# ============================================================================
# MAIN MENU (Default)
# ============================================================================
# Interactive launcher menu - the main entry point
# Usage: make              # Full interactive menu
#        make ENV=staging  # Start with staging environment selected
menu:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN_IT) bash scripts/make/launcher.sh
else
	@bash scripts/make/launcher.sh
endif

# ============================================================================
# HELP
# ============================================================================
help:
	@echo ""
	@echo "╔══════════════════════════════════════════════════════════════════════╗"
	@echo "║                         Busibox Commands                             ║"
	@echo "╚══════════════════════════════════════════════════════════════════════╝"
	@echo ""
	@echo "Usage: make <target> [OPTIONS]"
	@echo ""
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo "                         MAIN COMMANDS"
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo ""
	@echo "  make                         # Interactive launcher menu"
	@echo "  make install                 # Fresh installation wizard"
	@echo "  make install SERVICE=authz   # Deploy specific service (via Ansible)"
	@echo "  make manage                  # Service management (interactive)"
	@echo "  make login                   # Generate admin magic link + open browser"
	@echo "  make manage SERVICE=authz ACTION=restart  # Direct service action"
	@echo "  CORE_APPS_MODE=prod make manage SERVICE=core-apps ACTION=restart  # Prod mode"
	@echo "  make test                    # Testing menu"
	@echo ""
	@echo "  Services: postgres, redis, minio, milvus, authz, agent, data,"
	@echo "            search, deploy, bridge, docs, embedding, litellm, core-apps, proxy, nginx"
	@echo "  Actions:  start, stop, restart, logs, redeploy, status"
	@echo ""
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo "                    OTHER COMMANDS"
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo ""
	@echo "  setup         - Initial setup (install dependencies)"
	@echo "  configure     - Configure models, GPUs, secrets"
	@echo "  deploy        - Deploy services (via Ansible)"
	@echo "  milvus-reset  - Drop + recreate Milvus collection (new embedding dim)"
	@echo "  mcp           - Build MCP server for Cursor AI"
	@echo "  warmup        - Check cache and download missing models"
	@echo ""
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo "                    DOCKER DEVELOPMENT"
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo ""
	@echo "  Environment-based mode selection (ENV variable):"
	@echo "    make docker-up                         # Start (default: development)"
	@echo "    make docker-up ENV=development         # Dev mode (volume mounts, npm link)"
	@echo "    make docker-up ENV=demo                # Demo mode (prod-like, from GitHub)"
	@echo "    make docker-up SERVICE=busibox-portal       # Start specific service"
	@echo ""
	@echo "  Core Developer Mode (CORE_APPS_MODE, development ENV only):"
	@echo "    make docker-up                         # Default: prod mode (standalone, memory-efficient)"
	@echo "    CORE_APPS_MODE=dev make docker-up      # Core developer mode (Turbopack hot-reload)"
	@echo "    make manage SERVICE=core-apps          # Toggle mode interactively (options 8, 9)"
	@echo ""
	@echo "  Core Apps Source:"
	@echo "    All core apps use the busibox-frontend monorepo"
	@echo ""
	@echo "  Building:"
	@echo "    make docker-build                      # Build for current ENV"
	@echo "    make docker-build ENV=demo             # Build prod-like images"
	@echo "    make docker-build SERVICE=authz-api    # Build specific service"
	@echo "    make docker-build NO_CACHE=1           # Rebuild without cache"
	@echo ""
	@echo "  Other:"
	@echo "    make docker-down                       # Stop all services"
	@echo "    make docker-restart                    # Restart all services"
	@echo "    make docker-ps                         # Show status"
	@echo "    make docker-logs                       # View all logs"
	@echo "    make docker-logs SERVICE=authz-api     # View specific logs"
	@echo "    make docker-clean                      # Remove containers & data"
	@echo ""
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo "                    VAULT & ENV MANAGEMENT"
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo ""
	@echo "  make vault-generate-env                  # Generate .env.local from vault"
	@echo "  make vault-migrate                       # Migrate .env.local to vault (one-time)"
	@echo "  make vault-sync                          # Sync vault with vault.example.yml"
	@echo "  make vault-setup                         # Multi-vault setup wizard"
	@echo "  make vault-setup ARGS='--status'         # Show vault status"
	@echo ""
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo "                         TESTING"
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo ""
	@echo "  Docker (local development):"
	@echo "    make test-docker                       # Show full help + filtering guide"
	@echo "    make test-docker SERVICE=agent         # Run agent tests"
	@echo "    make test-docker SERVICE=agent ARGS='tests/unit'  # Run only unit tests"
	@echo "    make test-docker SERVICE=agent ARGS='-k test_weather'"
	@echo "    make test-docker ACTION=list           # List all services + test categories"
	@echo "    make test-docker ACTION=list SERVICE=agent CATEGORY=unit DETAIL=full"
	@echo ""
	@echo "  Against remote (staging/production via Proxmox):"
	@echo "    make test-local SERVICE=agent INV=staging"
	@echo "    make test-local SERVICE=all INV=production"
	@echo ""
	@echo "  On containers (via SSH):"
	@echo "    make test SERVICE=agent INV=staging"
	@echo ""
	@echo "  Options:"
	@echo "    FAST=0      Include slow/GPU tests (default: FAST=1 skips them)"
	@echo "    WORKER=1    Start local data worker for pipeline tests"
	@echo "    ARGS='...'  Pass pytest arguments"
	@echo ""
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo "                 MLX & HOST-AGENT (Apple Silicon)"
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo ""
	@echo "  MLX Server (local LLM on Apple Silicon):"
	@echo "    make mlx-status                # Check MLX server status"
	@echo "    make mlx-start                 # Start MLX server"
	@echo "    make mlx-stop                  # Stop MLX server"
	@echo "    make mlx-restart               # Restart MLX server"
	@echo "    make mlx-media-status          # Check MLX media server status"
	@echo "    make mlx-media-start           # Start always-on media servers (voice/TTS only, ~0.2GB)"
	@echo "    make mlx-media-start-all       # Start ALL media servers including on-demand"
	@echo "    make mlx-media-stop            # Stop all media servers"
	@echo "    make mlx-media-restart         # Restart always-on media servers"
	@echo "    make mlx-transcribe            # Toggle Whisper STT server (on-demand, ~3GB)"
	@echo "    make mlx-image                 # Toggle Flux image-gen server (on-demand, ~4GB)"
	@echo ""
	@echo "  Host Agent (controls MLX from Docker):"
	@echo "    make host-agent-status         # Check host-agent status"
	@echo "    make host-agent-start          # Start host-agent"
	@echo "    make host-agent-stop           # Stop host-agent"
	@echo "    make host-agent-restart        # Restart host-agent"
	@echo ""
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo "                   KUBERNETES (Rackspace Spot)"
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo ""
	@echo "  make build-images                  # Trigger GHA image build (all services)"
	@echo "  make k8s-deploy                    # Apply + secrets + rollout restart"
	@echo "  make k8s-apply                     # Apply manifests only"
	@echo "  make k8s-secrets                   # Generate secrets from vault"
	@echo "  make k8s-status                    # Show deployment status"
	@echo "  make k8s-delete                    # Delete all resources"
	@echo "  make k8s-logs SERVICE=authz-api    # View pod logs"
	@echo ""
	@echo "  Access (HTTPS tunnel to K8s cluster):"
	@echo "    make connect                         # Connect (HTTPS tunnel + /etc/hosts)"
	@echo "    make connect DOMAIN=my.local          # Custom domain"
	@echo "    make connect LOCAL_PORT=8443          # High port (no sudo)"
	@echo "    make disconnect                       # Tear down tunnel"
	@echo "    make k8s-connect-status               # Check connection status"
	@echo ""
	@echo "  GPU Burst (on-demand GPU for heavy AI):"
	@echo "    make k8s-gpu-up                    # Provision GPU + start vLLM"
	@echo "    make k8s-gpu-down                  # Stop vLLM + deprovision GPU"
	@echo "    make k8s-gpu-status                # Show GPU burst status"
	@echo "    make k8s-gpu-window MINUTES=60     # Timed burst window"
	@echo ""
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo "                      ENVIRONMENTS"
	@echo "═══════════════════════════════════════════════════════════════════════"
	@echo ""
	@echo "  development - Docker dev mode (volume mounts, npm-linked busibox-app)"
	@echo "  demo        - Docker prod mode (apps from GitHub, for presentations)"
	@echo "  staging     - 10.96.201.x network (Docker or Proxmox)"
	@echo "  production  - 10.96.200.x network (Docker or Proxmox)"
	@echo ""
	@echo "  development and demo are always Docker-only."
	@echo "  staging and production can use either Docker or Proxmox backends."
	@echo "  The interactive menu will ask for your preference."
	@echo ""

# ============================================================================
# SETUP & CONFIGURE
# ============================================================================
setup:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN_IT) bash scripts/make/setup.sh
else
	@bash scripts/make/setup.sh
endif

configure:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN_IT) bash scripts/make/configure.sh
else
	@bash scripts/make/configure.sh
endif

# ============================================================================
# DEPLOY
# ============================================================================
# Interactive: make deploy
# Direct:      make deploy SERVICE=authz INV=staging
deploy:
ifeq ($(USE_MANAGER),1)
ifdef SERVICE
	@$(MANAGER_RUN) bash scripts/make/deploy.sh $(SERVICE) $(INV)
else
	@$(MANAGER_RUN_IT) bash scripts/make/deploy.sh
endif
else
ifdef SERVICE
	@bash scripts/make/deploy.sh $(SERVICE) $(INV)
else
	@bash scripts/make/deploy.sh
endif
endif

# ============================================================================
# TESTING
# ============================================================================

# Run tests - interactive menu or direct service test
# Interactive: make test              # Opens test menu
# Direct:      make test SERVICE=authz INV=staging
test:
ifdef SERVICE
	@PYTEST_ARGS="$(ARGS)" bash scripts/make/test.sh $(SERVICE) $(INV) $(MODE)
else
	@bash scripts/make/test-menu.sh
endif

# Run tests locally against remote containers
# Usage: make test-local SERVICE=authz INV=staging
test-local:
ifndef SERVICE
	@echo ""
	@echo "Error: SERVICE is required"
	@echo ""
	@echo "Usage: make test-local SERVICE=<service> INV=<env>"
	@echo ""
	@echo "Services: authz, data, search, agent, all"
	@echo "Environments: staging, production"
	@echo ""
	@echo "Examples:"
	@echo "  make test-local SERVICE=agent INV=staging"
	@echo "  make test-local SERVICE=all INV=production"
	@echo "  make test-local SERVICE=agent INV=staging ARGS='-k test_weather'"
	@echo "  make test-local SERVICE=data INV=staging WORKER=1"
	@echo ""
	@exit 1
endif
	@FAST=$${FAST:-1} WORKER=$${WORKER:-0} bash scripts/test/run-local-tests.sh $(SERVICE) $(INV) $(ARGS)

# Bootstrap test databases (schema + OAuth clients + signing keys)
# Run this before running tests to initialize test_authz, test_data, test_agent
test-db-init:
	@echo "Bootstrapping test databases..."
	@docker compose -f docker-compose.local.yml --env-file .env.local run --rm test-db-init

# Check if test databases are bootstrapped
test-db-check:
	@echo "Checking test database status..."
	@docker exec local-postgres psql -U busibox_test_user -d test_authz -c "SELECT COUNT(*) as signing_keys FROM authz_signing_keys WHERE is_active = true;" 2>/dev/null || echo "Test databases not initialized. Run: make test-db-init"

# Run tests against local Docker
# Usage: make test-docker SERVICE=authz
#        make test-docker ACTION=list                          # List all services + test categories
#        make test-docker ACTION=list SERVICE=agent            # List agent test files
#        make test-docker ACTION=list SERVICE=agent CATEGORY=unit  # List agent unit test files
#        make test-docker ACTION=list SERVICE=agent CATEGORY=unit DETAIL=full  # Collect test IDs from Docker
test-docker:
ifeq ($(ACTION),list)
	@bash scripts/test/list-tests.sh $(SERVICE) $(CATEGORY) $(DETAIL)
else
ifndef SERVICE
	@echo ""
	@echo "make test-docker — Run pytest tests inside Docker containers"
	@echo ""
	@echo "USAGE:"
	@echo "  make test-docker SERVICE=<service> [ARGS='...'] [FAST=0|1]"
	@echo ""
	@echo "SERVICES (Python APIs — run via pytest inside Docker container):"
	@echo "  authz      Authorization service (srv/authz)"
	@echo "  agent      Agent/chat service (srv/agent)"
	@echo "  data       Data service (srv/data)"
	@echo "  search     Search service (srv/search)"
	@echo "  bridge     Bridge service (srv/bridge)"
	@echo ""
	@echo "SERVICES (Node.js apps — run via vitest inside Docker container):"
	@echo "  busibox-portal   Portal app"
	@echo "  busibox-agents   Agents app"
	@echo "  apps             Both Node.js apps"
	@echo ""
	@echo "SPECIAL:"
	@echo "  all        Run all Python + Node.js tests"
	@echo ""
	@echo "FILTERING TESTS:"
	@echo "  Run a specific test directory:"
	@echo "    make test-docker SERVICE=agent ARGS='tests/unit'"
	@echo "    make test-docker SERVICE=agent ARGS='tests/integration'"
	@echo ""
	@echo "  Run a specific test file:"
	@echo "    make test-docker SERVICE=agent ARGS='tests/unit/test_base_agent.py'"
	@echo ""
	@echo "  Run a specific test class:"
	@echo "    make test-docker SERVICE=agent ARGS='tests/unit/test_base_agent.py::TestToolExecution'"
	@echo ""
	@echo "  Run specific test methods (space-separated paths in ARGS):"
	@echo "    make test-docker SERVICE=agent ARGS='tests/unit/test_base_agent.py::TestToolExecution::test_execute_step_passes_ctx_when_tool_requires_it_without_scopes tests/unit/test_chat_optimization.py::test_generate_plan_backfills_required_query_for_document_search'"
	@echo ""
	@echo "  Filter by test name pattern (-k):"
	@echo "    make test-docker SERVICE=agent ARGS='-k test_weather'"
	@echo "    make test-docker SERVICE=agent ARGS='-k \"test_chat and not slow\"'"
	@echo ""
	@echo "  Filter by pytest marker (-m):"
	@echo "    make test-docker SERVICE=agent ARGS='-m integration'"
	@echo "    make test-docker SERVICE=agent ARGS='-m \"not slow and not gpu\"'"
	@echo ""
	@echo "  Common markers: unit, integration, pvt, slow, gpu"
	@echo ""
	@echo "OPTIONS:"
	@echo "  FAST=1     Skip @pytest.mark.slow and @pytest.mark.gpu tests (default)"
	@echo "  FAST=0     Include slow/GPU tests"
	@echo "  WORKER=1   Start local data worker for pipeline tests"
	@echo ""
	@echo "DISCOVERING TESTS:"
	@echo "  make test-docker ACTION=list                              # Overview of all services"
	@echo "  make test-docker ACTION=list SERVICE=agent                # List agent test files by category"
	@echo "  make test-docker ACTION=list SERVICE=agent CATEGORY=unit  # List unit test files"
	@echo "  make test-docker ACTION=list SERVICE=agent CATEGORY=unit DETAIL=full"
	@echo "                                                            # Collect full test IDs from Docker"
	@echo ""
	@exit 1
endif
	@FAST=$${FAST:-1} INV=docker CONTAINER_PREFIX=dev bash scripts/test/run-local-tests.sh $(SERVICE) docker $(ARGS)
endif

# Security tests
test-security:
	@bash tests/security/run_tests.sh

# ============================================================================
# MCP SERVER
# ============================================================================
mcp:
	@MCP_BUILD=1 bash scripts/make/mcp.sh

# ============================================================================
# DOCKER LOCAL DEVELOPMENT
# ============================================================================

# Ensure .env.local exists
_ensure-env:
	@if [ ! -f $(ENV_FILE) ]; then \
		if [ -f env.local.example ]; then \
			echo "Creating $(ENV_FILE) from env.local.example..."; \
			cp env.local.example $(ENV_FILE); \
			echo "Edit $(ENV_FILE) to add your API keys"; \
		fi; \
	fi

# Start Docker services based on environment
# ENV=development -> dev overlay (volume mounts, npm-linked busibox-app)
# ENV=demo/staging/production -> prod overlay (apps built from GitHub)
# Requires valid GitHub token for private repos
docker-up:
	@echo "Starting Docker services (ENV=$(ENV), overlay=$(notdir $(COMPOSE_OVERLAY)))..."
	@existing_id=$$(docker inspect -f '{{.Id}}' "$(CONTAINER_PREFIX)-user-apps" 2>/dev/null || true); \
	if [ -n "$$existing_id" ]; then \
		existing_status=$$(docker inspect -f '{{.State.Status}}' "$(CONTAINER_PREFIX)-user-apps" 2>/dev/null || echo "unknown"); \
		existing_project=$$(docker inspect -f '{{ index .Config.Labels "com.docker.compose.project" }}' "$(CONTAINER_PREFIX)-user-apps" 2>/dev/null || echo ""); \
		if [ "$$existing_status" != "running" ] || [ -n "$$existing_project" -a "$$existing_project" != "$(COMPOSE_PROJECT)" ]; then \
			echo "[WARN] Removing stale container $(CONTAINER_PREFIX)-user-apps (status=$$existing_status, project=$$existing_project, expected=$(COMPOSE_PROJECT))"; \
			docker rm -f "$(CONTAINER_PREFIX)-user-apps" >/dev/null 2>&1 || true; \
		fi; \
	fi
	$(eval GITHUB_AUTH_TOKEN := $(or $(GITHUB_AUTH_TOKEN),$(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.github.personal_access_token 2>/dev/null || echo ""')))
	$(eval POSTGRES_PASSWORD := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.postgresql.password 2>/dev/null || (echo "FATAL: Cannot read POSTGRES_PASSWORD from vault" >&2 && exit 1)'))
	$(eval MINIO_ACCESS_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.minio.root_user 2>/dev/null || (echo "FATAL: Cannot read MINIO_ROOT_USER from vault" >&2 && exit 1)'))
	$(eval MINIO_SECRET_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.minio.root_password 2>/dev/null || (echo "FATAL: Cannot read MINIO_ROOT_PASSWORD from vault" >&2 && exit 1)'))
	$(eval AUTHZ_MASTER_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.authz_master_key 2>/dev/null || (echo "FATAL: Cannot read AUTHZ_MASTER_KEY from vault" >&2 && exit 1)'))
	$(eval LITELLM_API_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_api_key 2>/dev/null || echo ""'))
	$(eval LITELLM_MASTER_KEY := $(or $(LITELLM_API_KEY),$(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_master_key 2>/dev/null || echo ""')))
	$(eval LITELLM_SALT_KEY := $(or $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_salt_key 2>/dev/null || echo ""'),$(LITELLM_MASTER_KEY)))
	$(eval NEO4J_PASSWORD := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.neo4j.password 2>/dev/null || echo ""'))
	@if [ -z "$(GITHUB_AUTH_TOKEN)" ]; then \
		echo "[WARN] No GitHub token found (repos are public, continuing without it)"; \
	fi
ifneq ($(DEV_APPS_DIR),)
	@echo "Dev Apps Directory: $(DEV_APPS_DIR)"
endif
ifdef SERVICE
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" DEV_APPS_DIR="$(DEV_APPS_DIR)" BUSIBOX_HOST_PATH="$(BUSIBOX_HOST_PATH)" CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) up -d $(SERVICE)
else
	@echo "Phase 1/3: starting infrastructure prerequisites..."
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" DEV_APPS_DIR="$(DEV_APPS_DIR)" BUSIBOX_HOST_PATH="$(BUSIBOX_HOST_PATH)" CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) up -d postgres redis minio etcd milvus neo4j
	@echo "Phase 2/3: running one-time init services..."
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" DEV_APPS_DIR="$(DEV_APPS_DIR)" BUSIBOX_HOST_PATH="$(BUSIBOX_HOST_PATH)" CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) up -d minio-init milvus-init
	@echo "Phase 3/3: starting remaining services..."
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" DEV_APPS_DIR="$(DEV_APPS_DIR)" BUSIBOX_HOST_PATH="$(BUSIBOX_HOST_PATH)" CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) up -d
endif
	@echo ""
ifeq ($(ENV),development)
	@echo "Development mode started. Use 'make docker-ps' to check status."
	@echo "Core apps: busibox-frontend monorepo (7 apps)"
else
	@echo "$(ENV) mode started. Use 'make docker-ps' to check status."
	@echo "Next.js apps built from GitHub with npm-published busibox-app."
endif

# Legacy alias for explicit prod mode
docker-up-prod: _ensure-env
	$(MAKE) docker-up ENV=demo

# Start Docker services without rebuilding (fast start)
docker-start:
	@existing_id=$$(docker inspect -f '{{.Id}}' "$(CONTAINER_PREFIX)-user-apps" 2>/dev/null || true); \
	if [ -n "$$existing_id" ]; then \
		existing_status=$$(docker inspect -f '{{.State.Status}}' "$(CONTAINER_PREFIX)-user-apps" 2>/dev/null || echo "unknown"); \
		existing_project=$$(docker inspect -f '{{ index .Config.Labels "com.docker.compose.project" }}' "$(CONTAINER_PREFIX)-user-apps" 2>/dev/null || echo ""); \
		if [ "$$existing_status" != "running" ] || [ -n "$$existing_project" -a "$$existing_project" != "$(COMPOSE_PROJECT)" ]; then \
			echo "[WARN] Removing stale container $(CONTAINER_PREFIX)-user-apps (status=$$existing_status, project=$$existing_project, expected=$(COMPOSE_PROJECT))"; \
			docker rm -f "$(CONTAINER_PREFIX)-user-apps" >/dev/null 2>&1 || true; \
		fi; \
	fi
	$(eval POSTGRES_PASSWORD := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.postgresql.password 2>/dev/null || (echo "FATAL: Cannot read POSTGRES_PASSWORD from vault" >&2 && exit 1)'))
	$(eval MINIO_ACCESS_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.minio.root_user 2>/dev/null || (echo "FATAL: Cannot read MINIO_ROOT_USER from vault" >&2 && exit 1)'))
	$(eval MINIO_SECRET_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.minio.root_password 2>/dev/null || (echo "FATAL: Cannot read MINIO_ROOT_PASSWORD from vault" >&2 && exit 1)'))
	$(eval AUTHZ_MASTER_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.authz_master_key 2>/dev/null || (echo "FATAL: Cannot read AUTHZ_MASTER_KEY from vault" >&2 && exit 1)'))
	$(eval LITELLM_API_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_api_key 2>/dev/null || echo ""'))
	$(eval LITELLM_MASTER_KEY := $(or $(LITELLM_API_KEY),$(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_master_key 2>/dev/null || echo ""')))
	$(eval LITELLM_SALT_KEY := $(or $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_salt_key 2>/dev/null || echo ""'),$(LITELLM_MASTER_KEY)))
	$(eval NEO4J_PASSWORD := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.neo4j.password 2>/dev/null || echo ""'))
ifdef SERVICE
	DEV_APPS_DIR="$(DEV_APPS_DIR)" BUSIBOX_HOST_PATH="$(BUSIBOX_HOST_PATH)" CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) up -d --no-build $(SERVICE)
else
	DEV_APPS_DIR="$(DEV_APPS_DIR)" BUSIBOX_HOST_PATH="$(BUSIBOX_HOST_PATH)" CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) up -d --no-build
endif
	@echo ""
	@echo "Services started ($(ENV) mode). Use 'make docker-ps' to check status."

# Stop Docker services
# Uses COMPOSE_PROJECT_NAME to stop the correct environment's containers
# Usage: make docker-down ENV=demo   # Stops demo-busibox stack
#        make docker-down            # Stops dev-busibox stack (default)
docker-down:
	@echo "Stopping $(COMPOSE_PROJECT) containers..."
	docker compose -p $(COMPOSE_PROJECT) down 2>/dev/null || \
	(DEV_APPS_DIR="$(DEV_APPS_DIR)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) down 2>/dev/null || true)

# Stop ALL busibox environments (demo, dev, staging, prod)
docker-down-all:
	@echo "Stopping all Busibox environments..."
	docker compose -p demo-busibox down 2>/dev/null || true
	docker compose -p dev-busibox down 2>/dev/null || true
	docker compose -p staging-busibox down 2>/dev/null || true
	docker compose -p prod-busibox down 2>/dev/null || true

# Restart Docker services (simple restart, no recreation)
docker-restart:
	$(eval GITHUB_AUTH_TOKEN := $(or $(GITHUB_AUTH_TOKEN),$(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.github.personal_access_token 2>/dev/null || echo ""')))
	$(eval POSTGRES_PASSWORD := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.postgresql.password 2>/dev/null || (echo "FATAL: Cannot read POSTGRES_PASSWORD from vault" >&2 && exit 1)'))
	$(eval MINIO_ACCESS_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.minio.root_user 2>/dev/null || (echo "FATAL: Cannot read MINIO_ROOT_USER from vault" >&2 && exit 1)'))
	$(eval MINIO_SECRET_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.minio.root_password 2>/dev/null || (echo "FATAL: Cannot read MINIO_ROOT_PASSWORD from vault" >&2 && exit 1)'))
	$(eval AUTHZ_MASTER_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.authz_master_key 2>/dev/null || (echo "FATAL: Cannot read AUTHZ_MASTER_KEY from vault" >&2 && exit 1)'))
	$(eval LITELLM_API_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_api_key 2>/dev/null || echo ""'))
	$(eval LITELLM_MASTER_KEY := $(or $(LITELLM_API_KEY),$(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_master_key 2>/dev/null || echo ""')))
	$(eval LITELLM_SALT_KEY := $(or $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_salt_key 2>/dev/null || echo ""'),$(LITELLM_MASTER_KEY)))
	$(eval NEO4J_PASSWORD := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.neo4j.password 2>/dev/null || echo ""'))
ifdef SERVICE
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" DEV_APPS_DIR="$(DEV_APPS_DIR)" CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) restart $(SERVICE)
else
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" DEV_APPS_DIR="$(DEV_APPS_DIR)" CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) restart
endif

# Restart only API services (fast, preserves infrastructure like embedding-api, milvus, postgres)
# Use this when developing - embedding model stays loaded, so restarts are fast
docker-restart-apis:
	@echo "Restarting API services (infrastructure tier preserved)..."
	CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) restart authz-api deploy-api bridge-api data-api data-worker search-api agent-api docs-api proxy

# Restart data services only
docker-restart-data:
	@echo "Restarting data services..."
	CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) restart data-api data-worker

# Check/generate SSL certificates
ssl-check:
	@if [ ! -f ssl/localhost.crt ] || [ ! -f ssl/localhost.key ]; then \
		echo "[INFO] Generating SSL certificates..."; \
		bash scripts/setup/generate-local-ssl.sh; \
	fi

# Check GitHub token is available and valid
github-check:
	@bash scripts/lib/github.sh check
	$(eval GITHUB_AUTH_TOKEN := $(or $(GITHUB_AUTH_TOKEN),$(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.github.personal_access_token 2>/dev/null || echo ""')))
	@if [ -n "$(GITHUB_AUTH_TOKEN)" ]; then \
		export GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)"; \
	fi

# Ensure GitHub token is available (interactive prompt if needed)
github-ensure:
	@bash scripts/lib/github.sh ensure
	$(eval GITHUB_AUTH_TOKEN := $(or $(GITHUB_AUTH_TOKEN),$(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.github.personal_access_token 2>/dev/null || echo ""')))
	@if [ -n "$(GITHUB_AUTH_TOKEN)" ]; then \
		export GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)"; \
	fi

# Build Docker images based on environment
# ENV=development -> dev overlay, ENV=demo/staging/production -> prod overlay
# Requires valid GitHub token for private repos
docker-build: ssl-check
	$(eval GIT_COMMIT := $(shell git rev-parse --short HEAD 2>/dev/null || echo "unknown"))
	$(eval GITHUB_AUTH_TOKEN := $(or $(GITHUB_AUTH_TOKEN),$(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.github.personal_access_token 2>/dev/null || echo ""')))
	$(eval POSTGRES_PASSWORD := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.postgresql.password 2>/dev/null || (echo "FATAL: Cannot read POSTGRES_PASSWORD from vault" >&2 && exit 1)'))
	$(eval MINIO_ACCESS_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.minio.root_user 2>/dev/null || (echo "FATAL: Cannot read MINIO_ROOT_USER from vault" >&2 && exit 1)'))
	$(eval MINIO_SECRET_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.minio.root_password 2>/dev/null || (echo "FATAL: Cannot read MINIO_ROOT_PASSWORD from vault" >&2 && exit 1)'))
	$(eval AUTHZ_MASTER_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.authz_master_key 2>/dev/null || (echo "FATAL: Cannot read AUTHZ_MASTER_KEY from vault" >&2 && exit 1)'))
	$(eval LITELLM_API_KEY := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_api_key 2>/dev/null || echo ""'))
	$(eval LITELLM_MASTER_KEY := $(or $(LITELLM_API_KEY),$(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_master_key 2>/dev/null || echo ""')))
	$(eval LITELLM_SALT_KEY := $(or $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.litellm_salt_key 2>/dev/null || echo ""'),$(LITELLM_MASTER_KEY)))
	$(eval NEO4J_PASSWORD := $(shell bash -c 'source scripts/lib/vault.sh >/dev/null 2>&1 && set_vault_environment $(ENV_PREFIX) >/dev/null 2>&1 && ensure_vault_access >/dev/null 2>&1 && get_vault_secret secrets.neo4j.password 2>/dev/null || echo ""'))
	@if [ -z "$(GITHUB_AUTH_TOKEN)" ]; then \
		echo "[WARN] No GitHub token found (repos are public, continuing without it)"; \
	fi
	@echo "Building with version: $(GIT_COMMIT) (ENV=$(ENV), overlay=$(notdir $(COMPOSE_OVERLAY)))"
ifdef SERVICE
ifdef NO_CACHE
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" GIT_COMMIT=$(GIT_COMMIT) CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) build --no-cache $(SERVICE)
else
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" GIT_COMMIT=$(GIT_COMMIT) CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) build $(SERVICE)
endif
	@echo "Recreating container to apply new image..."
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" GIT_COMMIT=$(GIT_COMMIT) BUSIBOX_HOST_PATH="$(BUSIBOX_HOST_PATH)" CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) up -d --no-deps $(SERVICE)
else
ifdef NO_CACHE
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" GIT_COMMIT=$(GIT_COMMIT) CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) build --no-cache
else
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" GIT_COMMIT=$(GIT_COMMIT) CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" LITELLM_SALT_KEY="$(LITELLM_SALT_KEY)" NEO4J_PASSWORD="$(NEO4J_PASSWORD)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) build
endif
	@echo "Recreating containers to apply new images..."
	GITHUB_AUTH_TOKEN="$(GITHUB_AUTH_TOKEN)" GIT_COMMIT=$(GIT_COMMIT) BUSIBOX_HOST_PATH="$(BUSIBOX_HOST_PATH)" CONTAINER_PREFIX=$(CONTAINER_PREFIX) COMPOSE_PROJECT_NAME=$(COMPOSE_PROJECT) POSTGRES_PASSWORD="$(POSTGRES_PASSWORD)" MINIO_ACCESS_KEY="$(MINIO_ACCESS_KEY)" MINIO_SECRET_KEY="$(MINIO_SECRET_KEY)" AUTHZ_MASTER_KEY="$(AUTHZ_MASTER_KEY)" LITELLM_API_KEY="$(LITELLM_API_KEY)" LITELLM_MASTER_KEY="$(LITELLM_MASTER_KEY)" docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) up -d
endif

# View Docker logs (uses environment-based overlay)
docker-logs:
ifdef SERVICE
	docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) logs -f $(SERVICE) 2>/dev/null || \
	docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_DEV) logs -f $(SERVICE) 2>/dev/null || \
	docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_PROD) logs -f $(SERVICE)
else
	docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) logs -f 2>/dev/null || \
	docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_DEV) logs -f 2>/dev/null || \
	docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_PROD) logs -f
endif

# Show Docker service status
# Usage: make docker-ps ENV=demo  # Shows demo-busibox stack
#        make docker-ps           # Shows dev-busibox stack (default)
docker-ps:
	@echo "Project: $(COMPOSE_PROJECT)"
	@docker compose -p $(COMPOSE_PROJECT) ps 2>/dev/null || \
	docker compose -f $(COMPOSE_FILE) -f $(COMPOSE_OVERLAY) ps 2>/dev/null

# Show status of ALL busibox environments
docker-ps-all:
	@echo "=== Demo Environment ===" && docker compose -p demo-busibox ps 2>/dev/null || true
	@echo ""
	@echo "=== Development Environment ===" && docker compose -p dev-busibox ps 2>/dev/null || true
	@echo ""
	@echo "=== Staging Environment ===" && docker compose -p staging-busibox ps 2>/dev/null || true
	@echo ""
	@echo "=== Production Environment ===" && docker compose -p prod-busibox ps 2>/dev/null || true

# Clean Docker environment for current ENV
# Usage: make docker-clean ENV=demo  # Cleans demo-busibox stack
docker-clean:
	@echo "WARNING: This will remove $(COMPOSE_PROJECT) containers and volumes!"
	@read -p "Are you sure? (y/N) " confirm; \
	if [ "$$confirm" = "y" ] || [ "$$confirm" = "Y" ]; then \
		docker compose -p $(COMPOSE_PROJECT) down -v --remove-orphans 2>/dev/null || true; \
		echo "Cleanup complete for $(COMPOSE_PROJECT)."; \
	else \
		echo "Cancelled."; \
	fi

# Clean ALL busibox Docker environments
docker-clean-all:
	@echo "WARNING: This will remove ALL Busibox environments (demo, dev, staging, prod)!"
	@read -p "Are you sure? (y/N) " confirm; \
	if [ "$$confirm" = "y" ] || [ "$$confirm" = "Y" ]; then \
		docker compose -p demo-busibox down -v --remove-orphans 2>/dev/null || true; \
		docker compose -p dev-busibox down -v --remove-orphans 2>/dev/null || true; \
		docker compose -p staging-busibox down -v --remove-orphans 2>/dev/null || true; \
		docker compose -p prod-busibox down -v --remove-orphans 2>/dev/null || true; \
		echo "All environments cleaned."; \
	else \
		echo "Cancelled."; \
	fi

# ============================================================================
# INSTALLATION
# ============================================================================
# Unified install with interactive wizard or demo mode.
# All management after install is via web UI (Busibox Portal).
#
# Usage:
#   make install         # Full wizard
#   make demo            # Demo mode (auto-configure)
#   make warmup          # Check cache and download missing models
#   make warmup FORCE=1  # Re-download (interactive selection)

# Interactive install with wizard OR deploy specific service
# Usage: make install                      # Install menu (Continue/Full/Clean if existing)
#        make install VERBOSE=1            # Show all logs
#        make install SERVICE=authz        # Deploy specific service (uses Ansible)
#        make install SERVICE=authz,agent  # Deploy multiple services
#
# When called without SERVICE=, shows the same install options as `make` -> Install:
# - Fresh install if no existing installation
# - Continue/Full/Clean menu if existing installation detected
install:
ifeq ($(USE_MANAGER),1)
ifdef SERVICE
	@$(MANAGER_RUN) bash scripts/make/service-deploy.sh "$(SERVICE)"
else
	@USE_ANSIBLE_FOR_DOCKER=$(USE_ANSIBLE) $(MANAGER_RUN_IT) bash scripts/make/install-menu.sh $(if $(VERBOSE),-v)
endif
	@if [ -f .mlx-setup-needed ]; then \
		rm -f .mlx-setup-needed; \
		echo "[INFO] Running MLX setup on macOS host..."; \
		bash scripts/make/mlx-host-setup.sh; \
	fi
	@if [ -f .ssl-setup-needed ]; then \
		rm -f .ssl-setup-needed; \
		echo "[INFO] Running localhost SSL setup on host (mkcert if available)..."; \
		bash scripts/setup/generate-local-ssl.sh; \
	fi
	@if [ -f .busibox-setup-link ]; then \
		echo ""; \
		echo "══════════════════════════════════════════════════════════════════════════════"; \
		echo "  Open the Busibox Portal to complete setup:"; \
		echo ""; \
		echo "  $$(cat .busibox-setup-link)"; \
		echo ""; \
		echo "══════════════════════════════════════════════════════════════════════════════"; \
		echo ""; \
		rm -f .busibox-setup-link; \
	fi
else
ifdef SERVICE
	@bash scripts/make/service-deploy.sh "$(SERVICE)"
else
	@USE_ANSIBLE_FOR_DOCKER=$(USE_ANSIBLE) bash scripts/make/install-menu.sh $(if $(VERBOSE),-v)
endif
endif

# DEPRECATED: Use 'make manage' for service management or 'make install SERVICE=x' to redeploy.
# Kept for backward compatibility - redirects to manage menu.
update:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN_IT) bash scripts/make/update-services.sh
else
	@bash scripts/make/update-services.sh
endif

# Service management menu OR direct service action
# Interactive menu for stopping/starting/redeploying services
# Supports both Docker and Proxmox backends
#
# Usage: make manage                                   # Interactive menu
#        make manage SERVICE=authz ACTION=restart      # Restart authz service
#        make manage SERVICE=authz,agent ACTION=stop   # Stop multiple services
#        make manage SERVICE=authz ACTION=logs         # View logs
#
# Core Developer Mode (Docker dev env only):
#        make manage SERVICE=core-apps            # Toggle via interactive menu (option 8, persisted to state)
#        CORE_APPS_MODE=dev  make manage SERVICE=core-apps ACTION=restart  # Force dev mode (hot-reload)
#        CORE_APPS_MODE=prod make manage SERVICE=core-apps ACTION=restart  # Force prod mode (default)
#
# Actions: start, stop, restart, logs, redeploy, status
# For core-app redeploy, pass REF= to select a specific branch/tag:
#   make manage SERVICE=busibox-portal ACTION=redeploy REF=v1.0.0
manage:
ifeq ($(USE_MANAGER),1)
ifdef SERVICE
	@DEPLOY_REF="$(REF)" $(MANAGER_RUN) bash scripts/make/service-manage.sh "$(SERVICE)" "$(ACTION)"
else
	@$(MANAGER_RUN_IT) bash scripts/make/manage.sh
endif
else
ifdef SERVICE
	@DEPLOY_REF="$(REF)" bash scripts/make/service-manage.sh "$(SERVICE)" "$(ACTION)"
else
	@bash scripts/make/manage.sh
endif
endif

# Reset Milvus collection (drop + recreate with correct embedding dimension)
# WARNING: Destroys all vectors — documents must be re-embedded afterward
# Usage: make milvus-reset                # Interactive confirmation
#        make milvus-reset CONFIRM=yes    # Skip confirmation
milvus-reset:
ifeq ($(USE_MANAGER),1)
	@CONFIRM="$(CONFIRM)" $(MANAGER_RUN_IT) bash scripts/make/milvus-reset.sh
else
	@CONFIRM="$(CONFIRM)" bash scripts/make/milvus-reset.sh
endif

# Validate that container env vars match vault secrets
# Usage: make validate-env
validate-env:
	@bash scripts/make/validate-env.sh

# Generate admin magic link and open browser
# Usage: make login
login:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN_IT) bash scripts/make/login.sh
else
	@bash scripts/make/login.sh
endif

# Rotate secrets (interactive)
# Usage: make rotate-secrets
rotate-secrets:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN_IT) bash scripts/make/rotate-secrets.sh
else
	@bash scripts/make/rotate-secrets.sh
endif

# Profile management (interactive)
# Usage: make profile
profile:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN_IT) bash scripts/make/launcher.sh --profile
else
	@bash scripts/make/launcher.sh --profile
endif

# Generate recovery magic link for admin access
# Use when browser/passkey access is lost
recover-admin:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN) bash scripts/make/recover-admin.sh
else
	@bash scripts/make/recover-admin.sh
endif

# ============================================================================
# ANSIBLE-BASED DOCKER DEPLOYMENT
# ============================================================================
# These targets use Ansible for Docker deployment, providing:
# - Idempotent operations
# - Unified patterns with LXC deployment
# - Better secrets management via Ansible Vault
#
# Usage: make docker-deploy              # Full deployment via Ansible
#        make docker-deploy-infra        # Deploy infrastructure only
#        make docker-deploy-apis         # Deploy API services
#        make docker-deploy-frontend     # Deploy frontend apps

docker-deploy:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN) "cd provision/ansible && make docker CONTAINER_PREFIX=$(CONTAINER_PREFIX) BUSIBOX_ENV=$(ENV)"
else
	@cd provision/ansible && $(MAKE) docker CONTAINER_PREFIX=$(CONTAINER_PREFIX) BUSIBOX_ENV=$(ENV)
endif

docker-deploy-infra:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN) "cd provision/ansible && make docker-infrastructure CONTAINER_PREFIX=$(CONTAINER_PREFIX) BUSIBOX_ENV=$(ENV)"
else
	@cd provision/ansible && $(MAKE) docker-infrastructure CONTAINER_PREFIX=$(CONTAINER_PREFIX) BUSIBOX_ENV=$(ENV)
endif

docker-deploy-apis:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN) "cd provision/ansible && make docker-apis CONTAINER_PREFIX=$(CONTAINER_PREFIX) BUSIBOX_ENV=$(ENV)"
else
	@cd provision/ansible && $(MAKE) docker-apis CONTAINER_PREFIX=$(CONTAINER_PREFIX) BUSIBOX_ENV=$(ENV)
endif

docker-deploy-llm:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN) "cd provision/ansible && make docker-llm CONTAINER_PREFIX=$(CONTAINER_PREFIX) BUSIBOX_ENV=$(ENV)"
else
	@cd provision/ansible && $(MAKE) docker-llm CONTAINER_PREFIX=$(CONTAINER_PREFIX) BUSIBOX_ENV=$(ENV)
endif

docker-deploy-frontend:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN) "cd provision/ansible && make docker-frontend CONTAINER_PREFIX=$(CONTAINER_PREFIX) BUSIBOX_ENV=$(ENV)"
else
	@cd provision/ansible && $(MAKE) docker-frontend CONTAINER_PREFIX=$(CONTAINER_PREFIX) BUSIBOX_ENV=$(ENV)
endif

# ============================================================================
# USER APP DEPLOYMENT
# ============================================================================
# Deploy user/external applications to the user-apps container.
# These are untrusted apps that run in an isolated container.
#
# Usage:
#   make deploy-user-app APP_ID=myapp REPO=owner/repo
#   make deploy-user-app APP_ID=myapp REPO=owner/repo BRANCH=develop
#   make deploy-user-app APP_ID=myapp REPO=owner/repo ENV=staging
#   make undeploy-user-app APP_ID=myapp
#
# Variables:
#   APP_ID   - Unique identifier for the app (required)
#   REPO     - GitHub repository in owner/repo format (required for deploy)
#   BRANCH   - Branch to deploy (default: main)
#   PORT     - Port the app listens on (default: auto-assigned)
#   ENV      - Target environment: docker, staging, production

# App deployment variables
APP_ID ?=
REPO ?=
BRANCH ?= main
APP_PORT ?=

.PHONY: deploy-user-app undeploy-user-app list-user-apps user-app-logs user-app-status

deploy-user-app:
	@if [ -z "$(APP_ID)" ]; then echo "ERROR: APP_ID is required"; exit 1; fi
	@if [ -z "$(REPO)" ]; then echo "ERROR: REPO is required (format: owner/repo)"; exit 1; fi
	@echo "Deploying user app: $(APP_ID) from $(REPO)"
	@cd provision/ansible && ansible-playbook \
		-i inventory/$(if $(filter docker,$(ENV)),docker,$(if $(filter staging production,$(ENV)),$(ENV),docker)) \
		user-app-deploy.yml \
		-e "app_id=$(APP_ID)" \
		-e "github_repo=$(REPO)" \
		-e "deploy_branch=$(BRANCH)" \
		$(if $(APP_PORT),-e "app_port=$(APP_PORT)") \
		$(if $(GITHUB_TOKEN),-e "github_token=$(GITHUB_TOKEN)") \
		$(EXTRA_ARGS)

undeploy-user-app:
	@if [ -z "$(APP_ID)" ]; then echo "ERROR: APP_ID is required"; exit 1; fi
	@echo "Undeploying user app: $(APP_ID)"
	@cd provision/ansible && ansible-playbook \
		-i inventory/$(if $(filter docker,$(ENV)),docker,$(if $(filter staging production,$(ENV)),$(ENV),docker)) \
		user-app-undeploy.yml \
		-e "app_id=$(APP_ID)" \
		$(EXTRA_ARGS)

list-user-apps:
	@echo "Listing deployed user apps..."
	@cd provision/ansible && ansible-playbook \
		-i inventory/$(if $(filter docker,$(ENV)),docker,$(if $(filter staging production,$(ENV)),$(ENV),docker)) \
		user-app-list.yml \
		$(EXTRA_ARGS)

user-app-logs:
	@if [ -z "$(APP_ID)" ]; then echo "ERROR: APP_ID is required"; exit 1; fi
	@if [ "$(ENV)" = "docker" ] || [ -z "$(ENV)" ]; then \
		docker exec $(CONTAINER_PREFIX)-user-apps sh -c "cd /srv/apps/$(APP_ID) && tail -f logs/*.log 2>/dev/null || echo 'No logs found'"; \
	else \
		cd provision/ansible && ansible user_apps -i inventory/$(ENV) -m shell -a "cd /srv/apps/$(APP_ID) && tail -100 logs/*.log 2>/dev/null || journalctl -u $(APP_ID) -n 100"; \
	fi

user-app-status:
	@if [ -z "$(APP_ID)" ]; then echo "ERROR: APP_ID is required"; exit 1; fi
	@if [ "$(ENV)" = "docker" ] || [ -z "$(ENV)" ]; then \
		docker exec $(CONTAINER_PREFIX)-user-apps sh -c "ps aux | grep -E '$(APP_ID)|node' | grep -v grep || echo 'App not running'"; \
	else \
		cd provision/ansible && ansible user_apps -i inventory/$(ENV) -m shell -a "systemctl status $(APP_ID) 2>/dev/null || echo 'Service not found'"; \
	fi

# ============================================================================
# MODEL WARMUP
# ============================================================================
# Pre-download models to cache for fast startup and offline use.
# Downloads: FastEmbed embedding model + MLX LLM models (Apple Silicon only)

# Check cache status and download any missing models
# Use --force to re-download (interactive model selection)
warmup:
	@bash scripts/make/warmup.sh $(if $(FORCE),--force)

# ============================================================================
# DEMO MODE
# ============================================================================
# One-command demo for investor presentations and air-gap demonstrations.
# Uses unified install with demo preset (local Docker, auto-detect LLM).

# Run demo (auto-configures everything)
# Prerequisites: Docker Desktop, 16GB+ RAM
# For offline mode: run 'make warmup' first
demo:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN) bash scripts/make/install.sh --demo --no-prompt $(if $(VERBOSE),-v)
else
	@bash scripts/make/install.sh --demo --no-prompt $(if $(VERBOSE),-v)
endif

# Stop demo environment and remove containers
# Use ARGS=--volumes to also remove data volumes
demo-clean:
	@echo "Stopping demo-busibox containers..."
	@docker compose -p demo-busibox down $(if $(findstring --volumes,$(ARGS)),-v) 2>/dev/null || true
	@echo "Demo environment cleaned."

# Show demo status (system info, running services)
demo-status:
	@echo ""
	@echo "=== Demo System Info ==="
	@bash scripts/llm/detect-backend.sh 2>/dev/null || echo "Backend: cloud"
	@echo ""
	@bash scripts/llm/get-memory-tier.sh 2>/dev/null || echo "Tier: minimal"
	@echo ""
	@echo "=== Demo Docker Services ==="
	@docker compose -p demo-busibox ps 2>/dev/null || echo "No demo services running"
	@echo ""

# ============================================================================
# VAULT & ENV MANAGEMENT
# ============================================================================
# Generate .env.local from Ansible vault (single source of truth)
vault-generate-env:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN) bash scripts/vault/generate-env-from-vault.sh
else
	@bash scripts/vault/generate-env-from-vault.sh
endif

# Migrate existing .env.local to Ansible vault (one-time operation)
vault-migrate:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN_IT) bash scripts/vault/migrate-env-to-vault.sh
else
	@bash scripts/vault/migrate-env-to-vault.sh
endif

# Sync vault structure with vault.example.yml
vault-sync:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN) bash scripts/vault/sync-vault.sh
else
	@bash scripts/vault/sync-vault.sh
endif

# Multi-vault setup: Create environment-specific vault files
# Usage: make vault-setup           # Interactive wizard
#        make vault-setup --status  # Show vault status
vault-setup:
ifeq ($(USE_MANAGER),1)
	@$(MANAGER_RUN_IT) bash scripts/vault-migrate.sh $(ARGS)
else
	@bash scripts/vault-migrate.sh $(ARGS)
endif

# ============================================================================
# MLX & HOST-AGENT MANAGEMENT (Apple Silicon only)
# ============================================================================
# MLX runs on the host machine (not in Docker) for best performance.
# The host-agent provides an HTTP API to control MLX from Docker containers.

# Check MLX server status
mlx-status:
	@echo "=== MLX Server Status ==="
	@PRIMARY_MODEL=$$(ps -ax -o command= | awk '(/mlx_lm\.server/ || /mlx-outlines-server/) && /--port 8080/ {for(i=1;i<=NF;i++) if($$i=="--model" && (i+1)<=NF){print $$(i+1); exit}}'); \
	if [ -n "$$PRIMARY_MODEL" ]; then \
		echo "MLX Primary: Running (port 8080)"; \
		echo "  Active model: $$PRIMARY_MODEL"; \
		if curl -sf http://localhost:8080/v1/models >/dev/null 2>&1; then \
			echo "  Health: Healthy"; \
		else \
			echo "  Health: Not responding"; \
		fi; \
	else \
		echo "MLX Primary: Not running"; \
	fi
	@FAST_PORT=$${MLX_FAST_PORT:-18081}; \
	FAST_MODEL=$$(ps -ax -o command= | awk -v p="$$FAST_PORT" '/mlx_lm\.server/ || /mlx-outlines-server/ { \
		has_port=0; \
		for(i=1;i<=NF;i++) { \
			if($$i=="--port" && (i+1)<=NF && $$(i+1)==p) has_port=1; \
		} \
		if(has_port) { \
			for(i=1;i<=NF;i++) if($$i=="--model" && (i+1)<=NF) {print $$(i+1); exit} \
		} \
	}'); \
	if [ -n "$$FAST_MODEL" ]; then \
		echo "MLX Fast: Running (port $$FAST_PORT)"; \
		echo "  Active model: $$FAST_MODEL"; \
		if curl -sf http://localhost:$$FAST_PORT/v1/models >/dev/null 2>&1; then \
			echo "  Health: Healthy"; \
		else \
			echo "  Health: Not responding"; \
		fi; \
	else \
		echo "MLX Fast: Not running (port $$FAST_PORT)"; \
	fi
	@echo ""
	@echo "=== Media Servers ==="
	@TOKEN=$$(awk -F= '/^HOST_AGENT_TOKEN=/{val=substr($$0, index($$0,$$2))} END{print val}' $(ENV_FILE) 2>/dev/null | tr -d '\r\n'); \
	if curl -sf http://localhost:8089/health >/dev/null 2>&1; then \
		if [ -n "$$TOKEN" ]; then \
			curl -sf "http://localhost:8089/media/status" -H "Authorization: Bearer $$TOKEN" 2>/dev/null | \
			jq -r '.servers | to_entries[] | "  \(.value.label // .key) (\(.key)):" + if .value.running then " Running (port \(.value.port // "?"))" + if .value.healthy then " [healthy]" else " [unhealthy]" end + if .value.model then "\n    Model: \(.value.model)" else "" end else " Stopped" + if .value.model then " (model: \(.value.model))" else "" end end' 2>/dev/null || echo "  (failed to parse media status)"; \
		else \
			curl -sf "http://localhost:8089/media/status" 2>/dev/null | \
			jq -r '.servers | to_entries[] | "  \(.value.label // .key) (\(.key)):" + if .value.running then " Running (port \(.value.port // "?"))" + if .value.healthy then " [healthy]" else " [unhealthy]" end + if .value.model then "\n    Model: \(.value.model)" else "" end else " Stopped" + if .value.model then " (model: \(.value.model))" else "" end end' 2>/dev/null || echo "  (failed to parse media status)"; \
		fi; \
	else \
		echo "  (host-agent not running)"; \
	fi
	@echo ""
	@echo "=== Host Agent Status ==="
	@if curl -sf http://localhost:8089/health >/dev/null 2>&1; then \
		echo "Host Agent: Running (port 8089)"; \
	else \
		echo "Host Agent: Not running"; \
	fi

# Start MLX server (via host-agent or directly)
# Reads HOST_AGENT_TOKEN from .env.dev for authentication
mlx-start:
	@echo "Starting MLX server..."
	@TOKEN=$$(awk -F= '/^HOST_AGENT_TOKEN=/{val=substr($$0, index($$0,$$2))} END{print val}' $(ENV_FILE) 2>/dev/null | tr -d '\r\n'); \
	if ! curl -sf http://localhost:8089/health >/dev/null 2>&1; then \
		echo "Host-agent not running. Starting host-agent..."; \
		$(MAKE) host-agent-start >/dev/null; \
		sleep 1; \
	fi; \
	if curl -sf http://localhost:8089/health >/dev/null 2>&1; then \
		echo "Using host-agent to start MLX..."; \
		if [ -n "$$TOKEN" ]; then \
			TMPOUT=$$(mktemp); \
			HTTP_CODE=$$(curl -s -o "$$TMPOUT" -w '%{http_code}' -X POST http://localhost:8089/mlx/start \
				-H "Content-Type: application/json" \
				-H "Authorization: Bearer $$TOKEN" \
				-d '{"model_type": "dual"}'); \
			if [ "$$HTTP_CODE" -ge 200 ] && [ "$$HTTP_CODE" -lt 300 ] 2>/dev/null; then \
				cat "$$TMPOUT" | bash scripts/lib/host-agent-format.sh && echo "MLX server started" || echo "Failed - check host-agent logs"; \
			else \
				echo "Host-agent /mlx/start returned HTTP $$HTTP_CODE"; \
				cat "$$TMPOUT" 2>/dev/null; echo; \
			fi; \
			rm -f "$$TMPOUT"; \
		else \
			echo "Warning: HOST_AGENT_TOKEN not found in $(ENV_FILE)"; \
			curl -sf -X POST http://localhost:8089/mlx/start \
				-H "Content-Type: application/json" \
				-d '{"model_type": "dual"}' | bash scripts/lib/host-agent-format.sh || echo "Failed - authentication may be required"; \
		fi; \
		if ! curl -sf http://localhost:8080/v1/models >/dev/null 2>&1 || ! curl -sf http://localhost:$${MLX_FAST_PORT:-18081}/v1/models >/dev/null 2>&1; then \
			echo "Host-agent start did not bring up both MLX servers. Falling back to direct dual startup..."; \
			bash scripts/llm/start-mlx-server.sh --dual; \
		fi; \
	else \
		echo "Host-agent unavailable. Starting MLX directly..."; \
		bash scripts/llm/start-mlx-server.sh --dual; \
	fi

# Stop MLX server
mlx-stop:
	@echo "Stopping MLX server..."
	@TOKEN=$$(awk -F= '/^HOST_AGENT_TOKEN=/{val=substr($$0, index($$0,$$2))} END{print val}' $(ENV_FILE) 2>/dev/null | tr -d '\r\n'); \
	if curl -sf http://localhost:8089/health >/dev/null 2>&1; then \
		if [ -n "$$TOKEN" ]; then \
			curl -sf -X POST http://localhost:8089/mlx/stop \
				-H "Authorization: Bearer $$TOKEN" | bash scripts/lib/host-agent-format.sh && echo "MLX server stopped" || echo "Failed - check host-agent logs"; \
		else \
			curl -sf -X POST http://localhost:8089/mlx/stop | bash scripts/lib/host-agent-format.sh || echo "Failed - authentication may be required"; \
		fi; \
	else \
		(pkill -f "mlx_lm.server" 2>/dev/null || true); \
		(pkill -f "mlx-outlines-server/server.py" 2>/dev/null || true); \
		echo "MLX server stopped"; \
	fi

# Restart MLX server (also restarts host-agent so it picks up config changes)
mlx-restart: mlx-stop host-agent-restart
	@sleep 2
	@$(MAKE) mlx-start

# Verify all required models are cached; offer to download missing ones
mlx-sync:
	@TOKEN=$$(awk -F= '/^HOST_AGENT_TOKEN=/{val=substr($$0, index($$0,$$2))} END{print val}' $(ENV_FILE) 2>/dev/null | tr -d '\r\n'); \
	if ! curl -sf http://localhost:8089/health >/dev/null 2>&1; then \
		echo "Host-agent not running. Starting..."; \
		$(MAKE) host-agent-start >/dev/null; \
		sleep 2; \
	fi; \
	AUTH=""; \
	if [ -n "$$TOKEN" ]; then AUTH="-H \"Authorization: Bearer $$TOKEN\""; fi; \
	RESP=$$(eval curl -sf --max-time 15 $$AUTH http://localhost:8089/models/required 2>/dev/null); \
	if [ -z "$$RESP" ]; then \
		echo "ERROR: Could not query model status from host-agent"; exit 1; \
	fi; \
	TIER=$$(echo "$$RESP" | jq -r '.tier // "unknown"'); \
	echo ""; \
	echo "=== Model Cache Status ==="; \
	echo ""; \
	echo "  LLM Models (tier: $$TIER):"; \
	echo "$$RESP" | jq -r '.models[] | select(.category == "llm") | if .cached then "    [cached]  \(.role):\t\(.name) (\(.size_human // "?"))" else "    [MISSING] \(.role):\t\(.name)" end'; \
	echo ""; \
	echo "  Media Models:"; \
	echo "$$RESP" | jq -r '.models[] | select(.category == "media") | if .cached then "    [cached]  \(.role):\t\(.name) (\(.size_human // "?"))" else "    [MISSING] \(.role):\t\(.name)" end'; \
	echo ""; \
	MISSING=$$(echo "$$RESP" | jq -r '.missing_count'); \
	if [ "$$MISSING" = "0" ]; then \
		echo "All models are cached."; \
	else \
		echo "$$MISSING model(s) missing."; \
		printf "Download now? [y/N]: "; \
		read answer; \
		case "$$answer" in \
			[Yy]*) \
				echo "$$RESP" | jq -r '.models[] | select(.cached == false) | .name' | while IFS= read -r model; do \
					[ -z "$$model" ] && continue; \
					echo "Downloading $$model..."; \
					CURL_ARGS=(-sf --max-time 600 -N -X POST -H "Content-Type: application/json"); \
					if [ -n "$$TOKEN" ]; then CURL_ARGS+=(-H "Authorization: Bearer $$TOKEN"); fi; \
					curl "$${CURL_ARGS[@]}" -d "{\"model\": \"$$model\"}" \
						http://localhost:8089/mlx/models/download 2>/dev/null | while IFS= read -r line; do \
						msg=$$(echo "$$line" | sed 's/^data: //' | jq -r '.message // empty' 2>/dev/null); \
						[ -n "$$msg" ] && echo "  $$msg"; \
					done; \
				done; \
				echo ""; \
				echo "Download complete."; \
				;; \
			*) echo "Skipped." ;; \
		esac; \
	fi

# Check MLX media servers status
mlx-media-status:
	@bash scripts/llm/start-mlx-media-servers.sh status

# Start always-on media servers (voice/TTS only, ~0.2GB)
mlx-media-start:
	@bash scripts/llm/start-mlx-media-servers.sh start

# Start ALL media servers including on-demand (Whisper ~3GB + Flux ~4GB)
mlx-media-start-all:
	@bash scripts/llm/start-mlx-media-servers.sh start-all

# Stop all media servers
mlx-media-stop:
	@bash scripts/llm/start-mlx-media-servers.sh stop

# Restart always-on media servers
mlx-media-restart: mlx-media-stop
	@sleep 2
	@$(MAKE) mlx-media-start

# Toggle Whisper STT server (on-demand, ~3GB — starts if stopped, stops if running)
mlx-transcribe:
	@bash scripts/llm/start-mlx-media-servers.sh transcribe

# Toggle Flux image-gen server (on-demand, ~4GB — starts if stopped, stops if running)
mlx-image:
	@bash scripts/llm/start-mlx-media-servers.sh image

# Check host-agent status
host-agent-status:
	@echo "=== Host Agent Status ==="
	@if curl -sf http://localhost:8089/health >/dev/null 2>&1; then \
		echo "Status: Running (port 8089)"; \
		curl -sf http://localhost:8089/health 2>/dev/null; \
	else \
		echo "Status: Not running"; \
		echo ""; \
		echo "Start with: make host-agent-start"; \
	fi

# Start host-agent (runs in background)
host-agent-start:
	@echo "Starting host-agent..."
	@if curl -sf http://localhost:8089/health >/dev/null 2>&1; then \
		echo "Host-agent is already running."; \
	else \
		bash scripts/host-agent/install-host-agent.sh; \
		sleep 2; \
		if curl -sf http://localhost:8089/health >/dev/null 2>&1; then \
			echo "Host-agent started successfully."; \
		else \
			echo "Failed to start host-agent. Check logs."; \
		fi; \
	fi

# Stop host-agent
host-agent-stop:
	@echo "Stopping host-agent..."
	@PLIST="$(HOME)/Library/LaunchAgents/com.busibox.host-agent.plist"; \
	if [ -f "$$PLIST" ] && launchctl list 2>/dev/null | grep -q com.busibox.host-agent; then \
		launchctl unload "$$PLIST" 2>/dev/null || true; \
		echo "Host-agent service unloaded"; \
	fi; \
	pkill -f "host-agent.py" 2>/dev/null || true; \
	sleep 1; \
	if pgrep -f "host-agent.py" >/dev/null 2>&1; then \
		pkill -9 -f "host-agent.py" 2>/dev/null || true; \
	fi

# Restart host-agent
host-agent-restart: host-agent-stop
	@sleep 1
	@$(MAKE) host-agent-start

# Backward compatibility
docker-test: test-docker

# ============================================================================
# KUBERNETES DEPLOYMENT (Rackspace Spot / Cloud)
# ============================================================================
# Deploy Busibox to a Kubernetes cluster using in-cluster build server.
# Images are built externally via GitHub Actions and pushed to GHCR
# (ghcr.io/jazzmind/busibox/*). Legacy in-cluster builds are available
# via --legacy-build.
#
# Usage:
#   make build-images                  # Trigger GHA image build (all services)
#   make build-images SERVICE=authz-api  # Build one service
#   make k8s-deploy                    # Apply + secrets + rollout restart
#   make k8s-apply                     # Apply manifests only
#   make k8s-secrets                   # Generate and apply secrets from vault
#   make k8s-status                    # Show deployment status
#   make k8s-delete                    # Delete all resources
#   make k8s-logs SERVICE=authz-api    # View pod logs
#
# Variables:
#   K8S_OVERLAY    - Kustomize overlay (default: rackspace-spot)
#   K8S_TAG        - Image tag (default: git short SHA)
#   KUBECONFIG     - Path to kubeconfig (default: k8s/kubeconfig-rackspace-spot.yaml)
#   IMAGE_SOURCE   - Set to "ghcr" on Docker deploys to pull pre-built images

K8S_OVERLAY ?= rackspace-spot
K8S_TAG ?= $(shell git rev-parse --short HEAD 2>/dev/null || echo "latest")

# Trigger GitHub Actions to build and push images to GHCR
build-images:
ifdef SERVICE
	@OVERLAY=$(K8S_OVERLAY) TAG=$(K8S_TAG) bash scripts/k8s/deploy.sh --trigger-build --service $(SERVICE)
else
	@OVERLAY=$(K8S_OVERLAY) TAG=$(K8S_TAG) bash scripts/k8s/deploy.sh --trigger-build
endif

# Full deployment: generate secrets, apply manifests, rollout restart (pulls :latest from GHCR)
k8s-deploy:
ifdef SERVICE
	@OVERLAY=$(K8S_OVERLAY) TAG=$(K8S_TAG) bash scripts/k8s/deploy.sh --all --service $(SERVICE)
else
	@OVERLAY=$(K8S_OVERLAY) TAG=$(K8S_TAG) bash scripts/k8s/deploy.sh --all
endif

# Legacy: sync + build on in-cluster build server
k8s-sync:
ifdef SERVICE
	@OVERLAY=$(K8S_OVERLAY) TAG=$(K8S_TAG) bash scripts/k8s/deploy.sh --sync --service $(SERVICE)
else
	@OVERLAY=$(K8S_OVERLAY) TAG=$(K8S_TAG) bash scripts/k8s/deploy.sh --sync
endif

# Legacy: build images on in-cluster build server
k8s-build:
ifdef SERVICE
	@OVERLAY=$(K8S_OVERLAY) TAG=$(K8S_TAG) bash scripts/k8s/deploy.sh --legacy-build --build --service $(SERVICE)
else
	@OVERLAY=$(K8S_OVERLAY) TAG=$(K8S_TAG) bash scripts/k8s/deploy.sh --legacy-build --build
endif

# Apply Kubernetes manifests (images must already be in registry)
k8s-apply:
	@OVERLAY=$(K8S_OVERLAY) TAG=$(K8S_TAG) bash scripts/k8s/deploy.sh --apply

# Generate and apply secrets from vault
k8s-secrets:
	@OVERLAY=$(K8S_OVERLAY) bash scripts/k8s/deploy.sh --secrets

# Show Kubernetes deployment status
k8s-status:
	@OVERLAY=$(K8S_OVERLAY) bash scripts/k8s/deploy.sh --status

# Delete all Kubernetes resources
k8s-delete:
	@OVERLAY=$(K8S_OVERLAY) bash scripts/k8s/deploy.sh --delete

# View logs for a Kubernetes pod
k8s-logs:
ifndef SERVICE
	@echo ""
	@echo "Usage: make k8s-logs SERVICE=<service>"
	@echo ""
	@echo "Services: postgres, redis, minio, milvus, etcd, authz-api, data-api,"
	@echo "          data-worker, search-api, agent-api, bridge-api, docs-api,"
	@echo "          embedding-api, litellm, proxy"
	@echo ""
	@exit 1
endif
	@kubectl --kubeconfig=k8s/kubeconfig-rackspace-spot.yaml logs -n busibox -l app=$(SERVICE) -f --tail=100

# GPU Burst Window Management
# Provision GPU node, deploy vLLM, run AI tasks, deprovision
# Usage:
#   make k8s-gpu-up                     # Provision GPU + start vLLM
#   make k8s-gpu-down                   # Stop vLLM + deprovision GPU
#   make k8s-gpu-status                 # Show GPU burst status
#   make k8s-gpu-window MINUTES=60      # Timed burst window (auto-shutdown)

MINUTES ?= 60

k8s-gpu-up:
	@bash scripts/k8s/gpu-burst.sh --up

k8s-gpu-down:
	@bash scripts/k8s/gpu-burst.sh --down

k8s-gpu-status:
	@bash scripts/k8s/gpu-burst.sh --status

k8s-gpu-window:
	@bash scripts/k8s/gpu-burst.sh --window $(MINUTES)

# Rackspace Spot Node Management
# Check market prices and available server classes
spot-check:
	@bash scripts/k8s/spot-manager.sh check

# Swap to a different server class (persistent volumes re-attach automatically)
# Usage: make spot-swap CLASS=mh.vs1.large-iad [BID=0.04]
spot-swap:
ifndef CLASS
	$(error CLASS is required. Example: make spot-swap CLASS=mh.vs1.large-iad)
endif
ifdef BID
	@bash scripts/k8s/spot-manager.sh swap --class $(CLASS) --bid $(BID)
else
	@bash scripts/k8s/spot-manager.sh swap --class $(CLASS)
endif

# Adjust bid price without changing server class
# Usage: make spot-price BID=0.04
spot-price:
ifndef BID
	$(error BID is required. Example: make spot-price BID=0.04)
endif
	@bash scripts/k8s/spot-manager.sh price --bid $(BID)

# K8s Connect - Local HTTPS tunnel to K8s cluster
# Sets up SSL cert, patches nginx for HTTPS, configures /etc/hosts,
# and starts kubectl port-forward for seamless local access.
#
# Usage:
#   make connect                          # Connect with defaults (busibox.local:443)
#   make connect DOMAIN=my.local          # Custom domain
#   make connect LOCAL_PORT=8443          # Custom port (avoids sudo)
#   make disconnect                       # Tear down tunnel
#   make k8s-connect-status               # Check connection status

DOMAIN ?= busibox.local
LOCAL_PORT ?= 443

connect:
	@DOMAIN=$(DOMAIN) LOCAL_PORT=$(LOCAL_PORT) bash scripts/k8s/connect.sh

disconnect:
	@bash scripts/k8s/connect.sh --disconnect

k8s-connect-status:
	@bash scripts/k8s/connect.sh --status

# ============================================================================
# BUSIBOX CLI (Rust TUI)
# ============================================================================
# Interactive TUI for setup, hardware detection, model config, and service
# management. Gradually replaces bash scripts with native Rust.
#
# Usage:
#   make busibox-build    # Compile the CLI binary
#   make busibox          # Build and run the CLI

busibox-build:
	@bash scripts/make/busibox-cli.sh build

busibox:
	@bash scripts/make/busibox-cli.sh run