{ pkgs, vault-hier, src }:

let
  # Create a test script to run the end-to-end tests
  e2eTestScript = pkgs.writeShellScriptBin "run-e2e-tests" ''
    #!/usr/bin/env bash
    set -euo pipefail

    # Create temporary directories for test data, vault, and pid files
    TEST_DIR=$(mktemp -d)
    VAULT_TEST_DIR=$(mktemp -d)
    VAULT_PID_FILE="$TEST_DIR/vault.pid"

    # Set Vault address
    export VAULT_ADDR="http://127.0.0.1:8200"

    # Use a fixed port for the API to make debugging easier
    API_PORT=3456
    API_URL="http://localhost:$API_PORT"

    echo "Using test directory: $TEST_DIR"
    echo "Using vault test directory: $VAULT_TEST_DIR"
    echo "Using vault PID file: $VAULT_PID_FILE"

    # Function to cleanup on exit
    cleanup() {
        echo "Cleaning up resources..."
        if [ -n "$SERVER_PID" ]; then
            echo "Stopping server process ($SERVER_PID)..."
            kill -9 $SERVER_PID 2>/dev/null || true
        fi
        if [ -f "$VAULT_PID_FILE" ]; then
            VAULT_PID=$(cat "$VAULT_PID_FILE")
            echo "Stopping vault process ($VAULT_PID)..."
            kill -9 $VAULT_PID 2>/dev/null || true
        fi
        # Clean up all temporary files and directories
        rm -rf "$TEST_DIR"
        rm -rf "$VAULT_TEST_DIR"
        echo "Cleanup complete."
    }

    # Error handling function
    handle_error() {
        echo "Error encountered, exiting..."
        cleanup
        exit 1
    }

    # Set trap for errors and interrupts
    trap handle_error ERR
    trap cleanup EXIT

    # Check if Vault is installed
    if ! command -v vault &> /dev/null; then
        echo "Vault is not installed in the test environment."
        exit 1
    fi

    # Check if there's already a Vault process running with our PID file
    if [ -f "$VAULT_PID_FILE" ]; then
        VAULT_PID=$(cat "$VAULT_PID_FILE")
        if ps -p $VAULT_PID > /dev/null; then
            echo "Vault is already running with PID $VAULT_PID"
            echo "Stopping the existing Vault server..."
            kill -9 $VAULT_PID
            rm "$VAULT_PID_FILE"
            # Wait for the port to be released
            sleep 2
        else
            echo "Vault PID file exists but the process is not running. Removing stale PID file."
            rm "$VAULT_PID_FILE"
        fi
    fi

    echo "Starting Vault server in non-dev mode..."

    # Create temporary config file
    mkdir -p "$VAULT_TEST_DIR/data" "$VAULT_TEST_DIR/config"

    cat > "$VAULT_TEST_DIR/config/vault.hcl" << EOF
    storage "file" {
      path = "$VAULT_TEST_DIR/data"
    }

    listener "tcp" {
      address     = "127.0.0.1:8200"
      tls_disable = "true"
    }

    disable_mlock = true
    ui = false
    EOF

    vault server -config="$VAULT_TEST_DIR/config/vault.hcl" > "$TEST_DIR/vault_server.log" 2>&1 &
    VAULT_PID=$!
    echo $VAULT_PID > "$VAULT_PID_FILE"

    echo "Vault server started with PID $VAULT_PID"
    echo "Vault server is running at $VAULT_ADDR"

    # Wait for Vault to start
    echo "Waiting for Vault to start..."
    sleep 5

    # Check if Vault is up and running
    for i in {1..10}; do
      if wget -q -O- --no-check-certificate http://127.0.0.1:8200/v1/sys/health?standbyok=true\\&sealedok=true\\&uninitok=true > /dev/null 2>&1; then
        echo "Vault is up and running!"
        break
      fi

      if [ $i -eq 10 ]; then
        echo "Timed out waiting for Vault to become available"
        exit 1
      fi

      echo "Vault is unavailable - sleeping (attempt $i/10)"
      sleep 2
    done

    # Start the vault-hier server
    echo "Starting the vault-hier server..."
    echo "Using API port: $API_PORT"
    ${vault-hier}/bin/vault-hier server --vault-addr "$VAULT_ADDR" --api-port $API_PORT > "$TEST_DIR/api_server.log" 2>&1 &
    SERVER_PID=$!
    echo "Server started with PID $SERVER_PID"

    # Wait for the server to start
    echo "Waiting for the server to start..."
    sleep 10  # Increased wait time to ensure server is ready

    # Test the server with some client operations
    echo "Testing the client operations..."

    # Create a sample file for testing
    echo "Creating a sample file for testing..."
    echo "This is a test document" > "$TEST_DIR/test_document.txt"

    # Test login with legal1 user
    echo "Testing login with legal1 user..."
    LOGIN_OUTPUT=$(${vault-hier}/bin/vault-hier login --username legal1 --password legal1pass --api-url "$API_URL")
    echo "$LOGIN_OUTPUT"

    # Just check that login command executes successfully
    echo "Login command executed successfully"

    # Test basic commands (these should at least parse correctly)
    echo "Testing help command..."
    ${vault-hier}/bin/vault-hier --help
    if [ $? -ne 0 ]; then
      echo "ERROR: Failed to run help command"
      exit 1
    fi

    # Test version command
    echo "Testing version command..."
    ${vault-hier}/bin/vault-hier --version
    if [ $? -ne 0 ]; then
      echo "ERROR: Failed to run version command"
      exit 1
    fi

    echo "End-to-end tests passed successfully!"
    exit 0
  '';

  # Create the derivation that will run the tests
  e2eTests = pkgs.runCommand "vault-hier-e2e-tests" {
    buildInputs = [
      vault-hier
      pkgs.vault
      pkgs.wget
    ];
    nativeBuildInputs = [
      pkgs.jq
      pkgs.wget
    ];
  } ''
    # Run the test script
    ${e2eTestScript}/bin/run-e2e-tests

    # Create a success marker file to indicate the tests passed
    mkdir -p $out
    touch $out/success
  '';
in
e2eTests