#!/usr/bin/env python3
import http.server, subprocess, hashlib, hmac, json, os, sys

SECRET = os.environ.get('WEBHOOK_SECRET', 'ptp-deploy-2026')
PORT = 9000

class Handler(http.server.BaseHTTPRequestHandler):
    def do_POST(self):
        if self.path != '/deploy':
            self.send_response(404); self.end_headers(); return
        
        length = int(self.headers.get('Content-Length', 0))
        body = self.rfile.read(length)
        
        # Verify signature (Gitea sends X-Gitea-Signature)
        sig = self.headers.get('X-Gitea-Signature', '')
        expected = hmac.new(SECRET.encode(), body, hashlib.sha256).hexdigest()
        
        if not hmac.compare_digest(sig, expected):
            self.send_response(403); self.end_headers()
            self.wfile.write(b'Bad signature'); return
        
        try:
            data = json.loads(body)
            ref = data.get('ref', '')
            if ref not in ('refs/heads/mirror', 'refs/heads/main'):
                self.send_response(200); self.end_headers()
                self.wfile.write(b'Skipped (not mirror/main)'); return
        except: pass
        
        subprocess.Popen(['/usr/local/bin/deploy-ptp.sh'])
        self.send_response(200); self.end_headers()
        self.wfile.write(b'Deploy triggered')

    def log_message(self, fmt, *args):
        pass  # silent

if __name__ == '__main__':
    httpd = http.server.HTTPServer(('127.0.0.1', PORT), Handler)
    print(f'Webhook server on port {PORT}')
    httpd.serve_forever()