"""Challenge-frame helpers for ``browser-cli serve``."""
from __future__ import annotations

import asyncio
import secrets
from pathlib import Path

from browser_cli.version_manager import PROTOCOL_MIN_CLIENT, get_installed_version

async def load_auth_keys(auth_keys_path: Path | None) -> list[str] | None:
  if auth_keys_path is None:
    return None
  from browser_cli.auth import load_authorized_keys
  return await asyncio.to_thread(load_authorized_keys, auth_keys_path)

async def build_challenge(auth_keys_path: Path | None) -> tuple[str, object | None, dict]:
  nonce = secrets.token_hex(32)
  pq_private_key = None
  challenge_msg = {
    "type": "challenge",
    "nonce": nonce,
    "server_version": get_installed_version(),
    "min_client_version": PROTOCOL_MIN_CLIENT,
  }
  if auth_keys_path is not None:
    from browser_cli.auth import PQ_KEX_ALG, pq_kex_server_keypair
    pq_keypair = await asyncio.to_thread(pq_kex_server_keypair)
    if pq_keypair is not None:
      pq_private_key, pq_public_key = pq_keypair
      challenge_msg["pq_kex"] = {"alg": PQ_KEX_ALG, "public_key": pq_public_key.hex()}
  return nonce, pq_private_key, challenge_msg