#!/usr/bin/env bash
# Package LNM migration runner for release/offline kit
# Usage: ./package-runner.sh
# Dev mode: COSIGN_ALLOW_DEV_KEY=1 COSIGN_PASSWORD=stellaops-dev ./package-runner.sh

set -euo pipefail

ROOT=$(cd "$(dirname "$0")/../../.." && pwd)
OUT_DIR="${OUT_DIR:-$ROOT/out/lnm}"
CREATED="${CREATED:-$(date -u +%Y-%m-%dT%H:%M:%SZ)}"

mkdir -p "$OUT_DIR/runner"

echo "==> LNM Migration Runner Packaging"

# Key resolution
resolve_key() {
  if [[ -n "${COSIGN_PRIVATE_KEY_B64:-}" ]]; then
    local tmp_key="$OUT_DIR/.cosign.key"
    echo "$COSIGN_PRIVATE_KEY_B64" | base64 -d > "$tmp_key"
    chmod 600 "$tmp_key"
    echo "$tmp_key"
  elif [[ -f "$ROOT/tools/cosign/cosign.key" ]]; then
    echo "$ROOT/tools/cosign/cosign.key"
  elif [[ "${COSIGN_ALLOW_DEV_KEY:-0}" == "1" && -f "$ROOT/tools/cosign/cosign.dev.key" ]]; then
    echo "[info] Using development key" >&2
    echo "$ROOT/tools/cosign/cosign.dev.key"
  else
    echo ""
  fi
}

# Build migration runner if project exists
MIGRATION_PROJECT="$ROOT/src/Concelier/__Libraries/StellaOps.Concelier.Migrations/StellaOps.Concelier.Migrations.csproj"
if [[ -f "$MIGRATION_PROJECT" ]]; then
  echo "==> Building migration runner..."
  dotnet publish "$MIGRATION_PROJECT" -c Release -o "$OUT_DIR/runner" --no-restore 2>/dev/null || \
    echo "[info] Build skipped (may need restore or project doesn't exist yet)"
else
  echo "[info] Migration project not found; creating placeholder"
  cat > "$OUT_DIR/runner/README.txt" <<EOF
LNM Migration Runner Placeholder
Build from: src/Concelier/__Libraries/StellaOps.Concelier.Migrations/
Created: $CREATED
Status: Awaiting upstream migration project
EOF
fi

# Create runner bundle
echo "==> Creating runner bundle..."
RUNNER_TAR="$OUT_DIR/lnm-migration-runner.tar.gz"
tar -czf "$RUNNER_TAR" -C "$OUT_DIR/runner" .

# Compute hash
sha256() { sha256sum "$1" | awk '{print $1}'; }
RUNNER_HASH=$(sha256 "$RUNNER_TAR")

# Generate manifest
MANIFEST="$OUT_DIR/lnm-migration-runner.manifest.json"
cat > "$MANIFEST" <<EOF
{
  "schemaVersion": "1.0.0",
  "created": "$CREATED",
  "runner": {
    "path": "lnm-migration-runner.tar.gz",
    "sha256": "$RUNNER_HASH"
  },
  "migrations": {
    "22-001": {"status": "infrastructure-ready", "description": "Advisory observations/linksets staging"},
    "22-002": {"status": "infrastructure-ready", "description": "VEX observation/linkset backfill"},
    "22-003": {"status": "infrastructure-ready", "description": "Metrics monitoring"}
  }
}
EOF

# Sign if key available
KEY_FILE=$(resolve_key)
if [[ -n "$KEY_FILE" ]] && command -v cosign &>/dev/null; then
  echo "==> Signing bundle..."
  COSIGN_PASSWORD="${COSIGN_PASSWORD:-}" cosign sign-blob \
    --key "$KEY_FILE" \
    --bundle "$OUT_DIR/lnm-migration-runner.dsse.json" \
    --tlog-upload=false --yes "$RUNNER_TAR" 2>/dev/null || true
fi

# Generate checksums
cd "$OUT_DIR"
sha256sum lnm-migration-runner.tar.gz lnm-migration-runner.manifest.json > SHA256SUMS

echo "==> LNM runner packaging complete"
echo "    Bundle: $RUNNER_TAR"
echo "    Manifest: $MANIFEST"