a301_server/internal/chain/service.go

package chain

import (
	"crypto/aes"
	"crypto/cipher"
	"crypto/rand"
	"encoding/hex"
	"encoding/json"
	"fmt"
	"io"
	"log"

	"github.com/tolelom/tolchain/core"
	tocrypto "github.com/tolelom/tolchain/crypto"
	"github.com/tolelom/tolchain/wallet"
)

type Service struct {
	repo           *Repository
	client         *Client
	chainID        string
	operatorWallet *wallet.Wallet
	encKeyBytes    []byte // 32-byte AES-256 key
	userResolver   func(username string) (uint, error)
}

// SetUserResolver sets the callback that resolves username → userID.
func (s *Service) SetUserResolver(fn func(username string) (uint, error)) {
	s.userResolver = fn
}

// resolveUsername converts a username to the user's on-chain pubKeyHex.
func (s *Service) resolveUsername(username string) (string, error) {
	if s.userResolver == nil {
		return "", fmt.Errorf("user resolver not configured")
	}
	userID, err := s.userResolver(username)
	if err != nil {
		return "", fmt.Errorf("user not found")
	}
	uw, err := s.repo.FindByUserID(userID)
	if err != nil {
		return "", fmt.Errorf("wallet not found")
	}
	return uw.PubKeyHex, nil
}

func NewService(
	repo *Repository,
	client *Client,
	chainID string,
	operatorKeyHex string,
	walletEncKeyHex string,
) (*Service, error) {
	encKey, err := hex.DecodeString(walletEncKeyHex)
	if err != nil || len(encKey) != 32 {
		return nil, fmt.Errorf("WALLET_ENCRYPTION_KEY must be 64 hex chars (32 bytes)")
	}

	var opWallet *wallet.Wallet
	if operatorKeyHex != "" {
		privKey, err := tocrypto.PrivKeyFromHex(operatorKeyHex)
		if err != nil {
			return nil, fmt.Errorf("invalid OPERATOR_KEY_HEX: %w", err)
		}
		opWallet = wallet.New(privKey)
	}

	return &Service{
		repo:           repo,
		client:         client,
		chainID:        chainID,
		operatorWallet: opWallet,
		encKeyBytes:    encKey,
	}, nil
}

// ---- Wallet Encryption (AES-256-GCM) ----

func (s *Service) encryptPrivKey(privKey tocrypto.PrivateKey) (cipherHex, nonceHex string, err error) {
	block, err := aes.NewCipher(s.encKeyBytes)
	if err != nil {
		return "", "", err
	}
	gcm, err := cipher.NewGCM(block)
	if err != nil {
		return "", "", err
	}
	nonce := make([]byte, gcm.NonceSize())
	if _, err := io.ReadFull(rand.Reader, nonce); err != nil {
		return "", "", err
	}
	cipherText := gcm.Seal(nil, nonce, []byte(privKey), nil)
	return hex.EncodeToString(cipherText), hex.EncodeToString(nonce), nil
}

func (s *Service) decryptPrivKey(cipherHex, nonceHex string) (tocrypto.PrivateKey, error) {
	cipherText, err := hex.DecodeString(cipherHex)
	if err != nil {
		return nil, err
	}
	nonce, err := hex.DecodeString(nonceHex)
	if err != nil {
		return nil, err
	}
	block, err := aes.NewCipher(s.encKeyBytes)
	if err != nil {
		return nil, err
	}
	gcm, err := cipher.NewGCM(block)
	if err != nil {
		return nil, err
	}
	plaintext, err := gcm.Open(nil, nonce, cipherText, nil)
	if err != nil {
		return nil, fmt.Errorf("wallet decryption failed: %w", err)
	}
	return tocrypto.PrivateKey(plaintext), nil
}

// ---- Wallet Management ----

// CreateWallet generates a new keypair, encrypts it, and stores in DB.
func (s *Service) CreateWallet(userID uint) (*UserWallet, error) {
	w, err := wallet.Generate()
	if err != nil {
		return nil, fmt.Errorf("key generation failed: %w", err)
	}

	cipherHex, nonceHex, err := s.encryptPrivKey(w.PrivKey())
	if err != nil {
		return nil, fmt.Errorf("key encryption failed: %w", err)
	}

	uw := &UserWallet{
		UserID:           userID,
		PubKeyHex:        w.PubKey(),
		Address:          w.Address(),
		EncryptedPrivKey: cipherHex,
		EncNonce:         nonceHex,
	}
	if err := s.repo.Create(uw); err != nil {
		return nil, fmt.Errorf("wallet save failed: %w", err)
	}
	return uw, nil
}

func (s *Service) GetWallet(userID uint) (*UserWallet, error) {
	return s.repo.FindByUserID(userID)
}

// loadUserWallet decrypts a user's private key and returns a wallet.Wallet.
func (s *Service) loadUserWallet(userID uint) (*wallet.Wallet, string, error) {
	uw, err := s.repo.FindByUserID(userID)
	if err != nil {
		return nil, "", fmt.Errorf("wallet not found: %w", err)
	}
	privKey, err := s.decryptPrivKey(uw.EncryptedPrivKey, uw.EncNonce)
	if err != nil {
		log.Printf("WARNING: wallet decryption failed for userID=%d: %v", userID, err)
		return nil, "", fmt.Errorf("wallet decryption failed")
	}
	return wallet.New(privKey), uw.PubKeyHex, nil
}

func (s *Service) getNonce(address string) (uint64, error) {
	bal, err := s.client.GetBalance(address)
	if err != nil {
		return 0, fmt.Errorf("get nonce failed: %w", err)
	}
	return bal.Nonce, nil
}

// ---- Query Methods ----

func (s *Service) GetBalance(userID uint) (*BalanceResult, error) {
	uw, err := s.repo.FindByUserID(userID)
	if err != nil {
		return nil, fmt.Errorf("wallet not found: %w", err)
	}
	return s.client.GetBalance(uw.PubKeyHex)
}

func (s *Service) GetAssets(userID uint, offset, limit int) (json.RawMessage, error) {
	uw, err := s.repo.FindByUserID(userID)
	if err != nil {
		return nil, fmt.Errorf("wallet not found: %w", err)
	}
	return s.client.GetAssetsByOwner(uw.PubKeyHex, offset, limit)
}

func (s *Service) GetAsset(assetID string) (json.RawMessage, error) {
	return s.client.GetAsset(assetID)
}

func (s *Service) GetInventory(userID uint) (json.RawMessage, error) {
	uw, err := s.repo.FindByUserID(userID)
	if err != nil {
		return nil, fmt.Errorf("wallet not found: %w", err)
	}
	return s.client.GetInventory(uw.PubKeyHex)
}

func (s *Service) GetMarketListings(offset, limit int) (json.RawMessage, error) {
	return s.client.GetActiveListings(offset, limit)
}

func (s *Service) GetListing(listingID string) (json.RawMessage, error) {
	return s.client.GetListing(listingID)
}

// ---- User Transaction Methods ----

func (s *Service) Transfer(userID uint, to string, amount uint64) (*SendTxResult, error) {
	w, pubKey, err := s.loadUserWallet(userID)
	if err != nil {
		return nil, err
	}
	nonce, err := s.getNonce(pubKey)
	if err != nil {
		return nil, err
	}
	tx, err := w.Transfer(s.chainID, to, amount, nonce, 0)
	if err != nil {
		return nil, fmt.Errorf("build tx failed: %w", err)
	}
	return s.client.SendTx(tx)
}

func (s *Service) TransferAsset(userID uint, assetID, to string) (*SendTxResult, error) {
	w, pubKey, err := s.loadUserWallet(userID)
	if err != nil {
		return nil, err
	}
	nonce, err := s.getNonce(pubKey)
	if err != nil {
		return nil, err
	}
	tx, err := w.TransferAsset(s.chainID, assetID, to, nonce, 0)
	if err != nil {
		return nil, fmt.Errorf("build tx failed: %w", err)
	}
	return s.client.SendTx(tx)
}

func (s *Service) ListOnMarket(userID uint, assetID string, price uint64) (*SendTxResult, error) {
	w, pubKey, err := s.loadUserWallet(userID)
	if err != nil {
		return nil, err
	}
	nonce, err := s.getNonce(pubKey)
	if err != nil {
		return nil, err
	}
	tx, err := w.ListMarket(s.chainID, assetID, price, nonce, 0)
	if err != nil {
		return nil, fmt.Errorf("build tx failed: %w", err)
	}
	return s.client.SendTx(tx)
}

func (s *Service) BuyFromMarket(userID uint, listingID string) (*SendTxResult, error) {
	w, pubKey, err := s.loadUserWallet(userID)
	if err != nil {
		return nil, err
	}
	nonce, err := s.getNonce(pubKey)
	if err != nil {
		return nil, err
	}
	tx, err := w.BuyMarket(s.chainID, listingID, nonce, 0)
	if err != nil {
		return nil, fmt.Errorf("build tx failed: %w", err)
	}
	return s.client.SendTx(tx)
}

func (s *Service) CancelListing(userID uint, listingID string) (*SendTxResult, error) {
	w, pubKey, err := s.loadUserWallet(userID)
	if err != nil {
		return nil, err
	}
	nonce, err := s.getNonce(pubKey)
	if err != nil {
		return nil, err
	}
	tx, err := w.CancelListing(s.chainID, listingID, nonce, 0)
	if err != nil {
		return nil, fmt.Errorf("build tx failed: %w", err)
	}
	return s.client.SendTx(tx)
}

func (s *Service) EquipItem(userID uint, assetID, slot string) (*SendTxResult, error) {
	w, pubKey, err := s.loadUserWallet(userID)
	if err != nil {
		return nil, err
	}
	nonce, err := s.getNonce(pubKey)
	if err != nil {
		return nil, err
	}
	tx, err := w.EquipItem(s.chainID, assetID, slot, nonce, 0)
	if err != nil {
		return nil, fmt.Errorf("build tx failed: %w", err)
	}
	return s.client.SendTx(tx)
}

func (s *Service) UnequipItem(userID uint, assetID string) (*SendTxResult, error) {
	w, pubKey, err := s.loadUserWallet(userID)
	if err != nil {
		return nil, err
	}
	nonce, err := s.getNonce(pubKey)
	if err != nil {
		return nil, err
	}
	tx, err := w.UnequipItem(s.chainID, assetID, nonce, 0)
	if err != nil {
		return nil, fmt.Errorf("build tx failed: %w", err)
	}
	return s.client.SendTx(tx)
}

// ---- Operator Transaction Methods ----

func (s *Service) ensureOperator() error {
	if s.operatorWallet == nil {
		return fmt.Errorf("operator wallet not configured")
	}
	return nil
}

func (s *Service) getOperatorNonce() (uint64, error) {
	if err := s.ensureOperator(); err != nil {
		return 0, err
	}
	return s.getNonce(s.operatorWallet.PubKey())
}

func (s *Service) MintAsset(templateID, ownerPubKey string, properties map[string]any) (*SendTxResult, error) {
	if err := s.ensureOperator(); err != nil {
		return nil, err
	}
	nonce, err := s.getOperatorNonce()
	if err != nil {
		return nil, err
	}
	tx, err := s.operatorWallet.MintAsset(s.chainID, templateID, ownerPubKey, properties, nonce, 0)
	if err != nil {
		return nil, fmt.Errorf("build tx failed: %w", err)
	}
	return s.client.SendTx(tx)
}

func (s *Service) GrantReward(recipientPubKey string, tokenAmount uint64, assets []core.MintAssetPayload) (*SendTxResult, error) {
	if err := s.ensureOperator(); err != nil {
		return nil, err
	}
	nonce, err := s.getOperatorNonce()
	if err != nil {
		return nil, err
	}
	tx, err := s.operatorWallet.GrantReward(s.chainID, recipientPubKey, tokenAmount, assets, nonce, 0)
	if err != nil {
		return nil, fmt.Errorf("build tx failed: %w", err)
	}
	return s.client.SendTx(tx)
}

func (s *Service) RegisterTemplate(id, name string, schema map[string]any, tradeable bool) (*SendTxResult, error) {
	if err := s.ensureOperator(); err != nil {
		return nil, err
	}
	nonce, err := s.getOperatorNonce()
	if err != nil {
		return nil, err
	}
	tx, err := s.operatorWallet.RegisterTemplate(s.chainID, id, name, schema, tradeable, nonce, 0)
	if err != nil {
		return nil, fmt.Errorf("build tx failed: %w", err)
	}
	return s.client.SendTx(tx)
}

// ---- Username-based Methods (for game server) ----

func (s *Service) GrantRewardByUsername(username string, tokenAmount uint64, assets []core.MintAssetPayload) (*SendTxResult, error) {
	pubKey, err := s.resolveUsername(username)
	if err != nil {
		return nil, err
	}
	return s.GrantReward(pubKey, tokenAmount, assets)
}

func (s *Service) MintAssetByUsername(templateID, username string, properties map[string]any) (*SendTxResult, error) {
	pubKey, err := s.resolveUsername(username)
	if err != nil {
		return nil, err
	}
	return s.MintAsset(templateID, pubKey, properties)
}

func (s *Service) GetBalanceByUsername(username string) (*BalanceResult, error) {
	pubKey, err := s.resolveUsername(username)
	if err != nil {
		return nil, err
	}
	return s.client.GetBalance(pubKey)
}

func (s *Service) GetAssetsByUsername(username string, offset, limit int) (json.RawMessage, error) {
	pubKey, err := s.resolveUsername(username)
	if err != nil {
		return nil, err
	}
	return s.client.GetAssetsByOwner(pubKey, offset, limit)
}

func (s *Service) GetInventoryByUsername(username string) (json.RawMessage, error) {
	pubKey, err := s.resolveUsername(username)
	if err != nil {
		return nil, err
	}
	return s.client.GetInventory(pubKey)
}