#!/usr/bin/env python3
import re
import sys
from pathlib import Path

src_generated = Path(sys.argv[1])
src_diagrams = Path(sys.argv[2])
out_dir = Path(sys.argv[3])
out_dir.mkdir(parents=True, exist_ok=True)


def sanitize_text(content: str) -> str:
    content = re.sub(r'\b[a-zA-Z0-9.-]+\.lan\.ddnsgeek\.com\b', '<internal-domain>', content)
    content = re.sub(
        r'\b(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3})\b',
        '<private-ip>',
        content,
    )
    content = re.sub(r'(?i)\b(password|token|api[_-]?key|secret)\s*[:=]\s*[^\s\n]+', r'\1=<redacted>', content)
    content = re.sub(r'(?m)^([A-Z0-9_]*(?:PASSWORD|TOKEN|API_KEY|SECRET)[A-Z0-9_]*)\s*[:=]\s*.*$', r'\1=<redacted>', content)
    return content


for name in ['compose-inventory.md', 'traefik-routes.md']:
    src = src_generated / name
    if src.exists():
        (out_dir / name).write_text(sanitize_text(src.read_text(errors='ignore')))

for svg_name in ['docker-compose.svg', 'physical-topology.svg', 'docker-traefik-dynu.svg']:
    src = src_diagrams / svg_name
    if src.exists():
        (out_dir / svg_name).write_text(sanitize_text(src.read_text(errors='ignore')))

(out_dir / 'index.md').write_text(
    """# Public Infrastructure Summary

This documentation is generated from the infrastructure repository. Sensitive values are redacted.

> Generated docs are sanitised/redacted before publishing to GitHub Pages.

## Infrastructure diagrams

### Physical / virtual topology

![Physical topology](physical-topology.svg)

### Docker, Traefik and Dynu routing

![Docker Traefik Dynu](docker-traefik-dynu.svg)

## Documents

- [Diagrams](diagrams.md)
- [Compose Inventory](compose-inventory.md)
- [Traefik Routes](traefik-routes.md)
"""
)

(out_dir / 'diagrams.md').write_text(
    """# Infrastructure diagrams

## Physical / virtual topology

This view groups containers by inferred host and service role (edge/proxy/auth, monitoring, automation, apps, and supporting storage/services).

![Physical topology](physical-topology.svg)

## Docker, Traefik and Dynu routing

This view shows sanitised public DNS names flowing to Traefik, then to exposed Docker services, with backend Docker network membership shown as secondary context.

_Diagrams are generated from Compose data and Traefik labels._

![Docker Traefik Dynu](docker-traefik-dynu.svg)
"""
)