#!/usr/bin/env bash
# Package Java analyzer plugin for release/offline distribution
# Usage: ./package-analyzer.sh [version] [output-dir]
# Example: ./package-analyzer.sh 2025.10.0 ./dist

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "${SCRIPT_DIR}/../../.." && pwd)"

VERSION="${1:-$(date +%Y.%m.%d)}"
OUTPUT_DIR="${2:-${SCRIPT_DIR}/../artifacts/scanner-java}"
PROJECT_PATH="src/Scanner/__Libraries/StellaOps.Scanner.Analyzers.Lang.Java/StellaOps.Scanner.Analyzers.Lang.Java.csproj"

# Freeze timestamps for reproducibility
export SOURCE_DATE_EPOCH=${SOURCE_DATE_EPOCH:-1704067200}

echo "==> Packaging Java analyzer v${VERSION}"
mkdir -p "${OUTPUT_DIR}"

# Build for all target RIDs
RIDS=("linux-x64" "linux-arm64" "osx-x64" "osx-arm64" "win-x64")

for RID in "${RIDS[@]}"; do
  echo "==> Building for ${RID}..."
  dotnet publish "${REPO_ROOT}/${PROJECT_PATH}" \
    --configuration Release \
    --runtime "${RID}" \
    --self-contained false \
    --output "${OUTPUT_DIR}/java-analyzer-${VERSION}-${RID}" \
    /p:Version="${VERSION}" \
    /p:PublishTrimmed=false \
    /p:DebugType=None
done

# Create combined archive
ARCHIVE_NAME="scanner-java-analyzer-${VERSION}"
echo "==> Creating archive ${ARCHIVE_NAME}.tar.gz..."
cd "${OUTPUT_DIR}"
tar -czf "${ARCHIVE_NAME}.tar.gz" java-analyzer-${VERSION}-*/

# Generate checksums
echo "==> Generating checksums..."
sha256sum "${ARCHIVE_NAME}.tar.gz" > "${ARCHIVE_NAME}.tar.gz.sha256"
for RID in "${RIDS[@]}"; do
  (cd "java-analyzer-${VERSION}-${RID}" && sha256sum *.dll *.json 2>/dev/null > ../java-analyzer-${VERSION}-${RID}.sha256 || true)
done

# Generate SBOM if syft available
if command -v syft &>/dev/null; then
  echo "==> Generating SBOM..."
  syft dir:"${OUTPUT_DIR}/java-analyzer-${VERSION}-linux-x64" -o spdx-json > "${OUTPUT_DIR}/${ARCHIVE_NAME}.spdx.json"
  syft dir:"${OUTPUT_DIR}/java-analyzer-${VERSION}-linux-x64" -o cyclonedx-json > "${OUTPUT_DIR}/${ARCHIVE_NAME}.cdx.json"
fi

# Sign if cosign available
if command -v cosign &>/dev/null && [[ -n "${COSIGN_KEY:-}" ]]; then
  echo "==> Signing archive..."
  cosign sign-blob --key "${COSIGN_KEY}" "${ARCHIVE_NAME}.tar.gz" > "${ARCHIVE_NAME}.tar.gz.sig"
fi

# Create manifest
cat > "${OUTPUT_DIR}/manifest.json" <<EOF
{
  "analyzer": "scanner-java",
  "version": "${VERSION}",
  "archive": "${ARCHIVE_NAME}.tar.gz",
  "checksumFile": "${ARCHIVE_NAME}.tar.gz.sha256",
  "rids": $(printf '%s\n' "${RIDS[@]}" | jq -R . | jq -s .),
  "sbom": {
    "spdx": "${ARCHIVE_NAME}.spdx.json",
    "cyclonedx": "${ARCHIVE_NAME}.cdx.json"
  },
  "createdAt": "$(date -u +%Y-%m-%dT%H:%M:%SZ)",
  "sourceDateEpoch": "${SOURCE_DATE_EPOCH}",
  "components": [
    "Maven/Gradle parsing",
    "JAR/WAR/EAR analysis",
    "Java callgraph builder",
    "JNI native bridge detection",
    "Service provider scanning",
    "Shaded JAR detection"
  ]
}
EOF

echo "==> Java analyzer packaged to ${OUTPUT_DIR}"
echo "    Archive: ${ARCHIVE_NAME}.tar.gz"
echo "    RIDs: ${RIDS[*]}"