// SPDX-License-Identifier: MIT
pragma solidity ^0.8.20;

import "forge-std/Script.sol";
import {CompliantWrappedToken} from "../../contracts/tokens/CompliantWrappedToken.sol";

/**
 * @title DeploySingleCWToken
 * @notice Deploy exactly one CompliantWrappedToken and grant MINTER/BURNER to the bridge.
 *
 * Env:
 *   PRIVATE_KEY (required)
 *   CW_BRIDGE_ADDRESS (required)
 *   CW_TOKEN_NAME (required)
 *   CW_TOKEN_SYMBOL (required)
 *   CW_TOKEN_DECIMALS (optional, default 6)
 *   CW_STRICT_MODE=0 (optional override) — by default deployer MINTER/BURNER are revoked after bridge grant
 *   CW_GOVERNANCE_ADMIN=0x... (optional) — grant DEFAULT_ADMIN_ROLE to governance; if strict, revoke deployer admin when governance is set
 *   CW_FREEZE_OPERATIONAL_ROLES=0 (optional override) — by default freeze future MINTER/BURNER changes after setup
 */
contract DeploySingleCWToken is Script {
    function run() external {
        uint256 pk = vm.envUint("PRIVATE_KEY");
        address admin = vm.addr(pk);
        address bridge = vm.envAddress("CW_BRIDGE_ADDRESS");
        string memory tokenName = vm.envString("CW_TOKEN_NAME");
        string memory tokenSymbol = vm.envString("CW_TOKEN_SYMBOL");
        uint8 decimals_ = uint8(vm.envOr("CW_TOKEN_DECIMALS", uint256(6)));
        bool strictMode = vm.envOr("CW_STRICT_MODE", uint256(1)) == 1;
        bool freezeOperationalRoles = vm.envOr("CW_FREEZE_OPERATIONAL_ROLES", uint256(1)) == 1;
        address governanceAdmin = vm.envOr("CW_GOVERNANCE_ADMIN", address(0));

        require(bridge != address(0), "CW_BRIDGE_ADDRESS required");
        require(bytes(tokenName).length != 0, "CW_TOKEN_NAME required");
        require(bytes(tokenSymbol).length != 0, "CW_TOKEN_SYMBOL required");

        vm.startBroadcast(pk);

        CompliantWrappedToken token = new CompliantWrappedToken(tokenName, tokenSymbol, decimals_, admin);
        token.grantRole(token.MINTER_ROLE(), bridge);
        token.grantRole(token.BURNER_ROLE(), bridge);

        if (strictMode) {
            token.revokeRole(token.MINTER_ROLE(), admin);
            token.revokeRole(token.BURNER_ROLE(), admin);
        }

        if (governanceAdmin != address(0) && governanceAdmin != admin) {
            token.grantRole(token.DEFAULT_ADMIN_ROLE(), governanceAdmin);
        }

        if (freezeOperationalRoles) {
            token.freezeOperationalRoles();
        }

        if (strictMode && governanceAdmin != address(0) && governanceAdmin != admin) {
            token.revokeRole(token.DEFAULT_ADMIN_ROLE(), admin);
        }

        vm.stopBroadcast();

        console.log(tokenSymbol, address(token));
        console.log("  bridge", bridge);
        console.log("  strictMode", strictMode);
        console.log("  governanceAdmin", governanceAdmin);
        console.log("  operationalRolesFrozen", token.operationalRolesFrozen());
        console.log("  deployerHasMinter", token.hasRole(token.MINTER_ROLE(), admin));
        console.log("  deployerHasBurner", token.hasRole(token.BURNER_ROLE(), admin));
        console.log("  bridgeHasMinter", token.hasRole(token.MINTER_ROLE(), bridge));
        console.log("  bridgeHasBurner", token.hasRole(token.BURNER_ROLE(), bridge));
    }
}