#!/usr/bin/env bash
set -euo pipefail

STAGED_DIR="evidence-locker/signals/2025-12-05"
MODULE_ROOT="docs/modules/signals"
TAR_OUT="/tmp/signals-evidence.tar"

if [[ -z "${EVIDENCE_LOCKER_URL:-}" || -z "${CI_EVIDENCE_LOCKER_TOKEN:-}" ]]; then
  echo "EVIDENCE_LOCKER_URL and CI_EVIDENCE_LOCKER_TOKEN are required" >&2
  exit 1
fi

tmpdir=$(mktemp -d)
trap 'rm -rf "$tmpdir"' EXIT

rsync -a --relative \
  "$STAGED_DIR/SHA256SUMS" \
  "$STAGED_DIR/confidence_decay_config.sigstore.json" \
  "$STAGED_DIR/unknowns_scoring_manifest.sigstore.json" \
  "$STAGED_DIR/heuristics_catalog.sigstore.json" \
  "$MODULE_ROOT/decay/confidence_decay_config.yaml" \
  "$MODULE_ROOT/unknowns/unknowns_scoring_manifest.json" \
  "$MODULE_ROOT/heuristics/heuristics.catalog.json" \
  "$tmpdir/"

pushd "$tmpdir/$STAGED_DIR" >/dev/null
sha256sum --check SHA256SUMS
popd >/dev/null

# Build deterministic tarball
pushd "$tmpdir" >/dev/null
tar --sort=name --mtime="UTC 1970-01-01" --owner=0 --group=0 --numeric-owner \
  -cf "$TAR_OUT" .
popd >/dev/null

sha256sum "$TAR_OUT"

curl --retry 3 --retry-delay 2 --fail \
  -H "Authorization: Bearer $CI_EVIDENCE_LOCKER_TOKEN" \
  -X PUT "$EVIDENCE_LOCKER_URL/signals/2025-12-05/signals-evidence.tar" \
  --data-binary "@$TAR_OUT"

echo "Uploaded $TAR_OUT to $EVIDENCE_LOCKER_URL/signals/2025-12-05/"