param(
    [string]$ApiBaseUrl = "http://192.168.200.61:18121/api/v1",
    [string]$ClusterID = "cfc0743d-d960-49fb-9de8-96e063d5e4aa",
    [string]$DockerSSH = "test-docker",
    [string]$ExpectedBackendImage = "rap-backend:fabric-service-channel-0.2.203",
    [string]$EntryNodeID = "108a0d66-d65e-4dea-b9a8-135366bf7dba",
    [string]$ExitNodeID = "830a26de-e7e8-462f-8f37-5189027955d5",
    [string]$ResultPath = "artifacts\c18z28-service-channel-recovery-policy-provenance-smoke-result.json"
)

Set-StrictMode -Version Latest
$ErrorActionPreference = "Stop"

$scriptDir = Split-Path -Parent $MyInvocation.MyCommand.Path
$repoRoot = (Resolve-Path (Join-Path $scriptDir "..\..")).ProviderPath
$backendRoot = Join-Path $repoRoot "backend"

Push-Location $backendRoot
try {
    $unitTestOutput = & go test ./internal/modules/cluster -run "TestIssueFabricServiceChannelLeaseSelectsAuthorizedRoute|TestFabricServiceChannelRecoveryPolicyControlsPromotionAndPenalty|TestRoutePathDecisionReportCountsRecoveryHysteresis" 2>&1
    if ($LASTEXITCODE -ne 0) {
        $unitText = ($unitTestOutput | Out-String)
        throw "C18Z28 recovery policy provenance backend unit tests failed:`n$unitText"
    }
} finally {
    Pop-Location
}

$syntheticUrl = "$ApiBaseUrl/clusters/$ClusterID/nodes/$EntryNodeID/mesh/synthetic-config"
$synthetic = Invoke-RestMethod -Method Get -Uri $syntheticUrl
$syntheticConfig = $synthetic.synthetic_mesh_config
$feedbackPolicy = $syntheticConfig.service_channel_route_feedback.recovery_policy
$pathPolicy = $null
$routePathDecisions = $null
$routePathProperty = $syntheticConfig.PSObject.Properties["route_path_decisions"]
if ($null -ne $routePathProperty) {
    $routePathDecisions = $routePathProperty.Value
}
if ($null -ne $routePathDecisions) {
    $pathPolicy = $routePathDecisions.recovery_policy
}

$leaseBody = @{
    organization_id = "org-c18z28-smoke"
    user_id = "user-c18z28-smoke"
    resource_id = "vpn-c18z28-smoke"
    service_class = "vpn_packets"
    entry_node_ids = @($EntryNodeID)
    exit_node_ids = @($ExitNodeID)
    preferred_entry_node_id = $EntryNodeID
    preferred_exit_node_id = $ExitNodeID
    allowed_channels = @("vpn_packet")
    ttl_seconds = 60
}
$lease = Invoke-RestMethod -Method Post -Uri "$ApiBaseUrl/clusters/$ClusterID/fabric/service-channels/leases" -ContentType "application/json" -Body ($leaseBody | ConvertTo-Json -Depth 20)
$leaseItem = $lease.fabric_service_channel_lease

$backendLine = (& ssh $DockerSSH "docker ps --format '{{.Names}} {{.Image}} {{.Status}}' | grep '^rap_test_backend '") | Out-String
$backendImageOK = $backendLine.Contains($ExpectedBackendImage)
$feedbackPolicyOK = $null -ne $feedbackPolicy -and [int]$feedbackPolicy.hysteresis_penalty -gt 0 -and [string]$feedbackPolicy.source -ne ""
$leasePolicyOK = $null -ne $leaseItem.recovery_policy -and [int]$leaseItem.recovery_policy.promotion_min_samples -gt 0
$routePolicyOK = $null -ne $leaseItem.primary_route.recovery_policy -and [int]$leaseItem.primary_route.recovery_policy.demotion_failure_threshold -gt 0
$signedPolicyOK = $null -ne $leaseItem.authority_payload.recovery_policy -and [int]$leaseItem.authority_payload.recovery_policy.hysteresis_penalty -gt 0
$pathPolicyOK = $true
if ($null -ne $routePathDecisions) {
    $pathPolicyOK = $null -ne $pathPolicy -and [string]$pathPolicy.source -ne ""
}

$result = [ordered]@{
    schema_version = "c18z28.service_channel_recovery_policy_provenance_smoke.v1"
    passed = [bool]($backendImageOK -and $feedbackPolicyOK -and $leasePolicyOK -and $routePolicyOK -and $signedPolicyOK -and $pathPolicyOK)
    checks = [ordered]@{
        unit_recovery_policy_provenance_passed = ($unitTestOutput -join "`n").Contains("ok")
        backend_expected_image_deployed = $backendImageOK
        synthetic_feedback_policy_present = $feedbackPolicyOK
        synthetic_route_path_policy_present_when_report_exists = $pathPolicyOK
        lease_policy_present = $leasePolicyOK
        lease_primary_route_policy_present = $routePolicyOK
        signed_authority_payload_policy_present = $signedPolicyOK
    }
    summary = [ordered]@{
        unit_test_output = ($unitTestOutput | Out-String).Trim()
        backend_container = $backendLine.Trim()
        expected_backend_image = $ExpectedBackendImage
        synthetic_feedback_policy = $feedbackPolicy
        synthetic_route_path_policy = $pathPolicy
        lease_policy = $leaseItem.recovery_policy
        primary_route_policy = $leaseItem.primary_route.recovery_policy
        signed_payload_policy = $leaseItem.authority_payload.recovery_policy
    }
}

$resolvedResultPath = Join-Path $repoRoot $ResultPath
$result | ConvertTo-Json -Depth 100 | Set-Content -Path $resolvedResultPath -Encoding UTF8

if (-not $result.passed) {
    throw "C18Z28 recovery policy provenance smoke failed. Result: $resolvedResultPath"
}

Write-Host "C18Z28 service-channel recovery policy provenance smoke passed. Result: $resolvedResultPath"
$result