#!/usr/bin/env bash
set -euo pipefail

# Verify a mirror-thin-v1 bundle and optional DSSE signatures.
# Usage: mirror-verify.sh manifest.json bundle.tar.gz [--bundle-meta bundle.json] [--pubkey key.pub] [--tenant t] [--environment env]

manifest=${1:-}
bundle=${2:-}
shift 2 || true

bundle_meta=""
pubkey=""
tenant=""
environment=""

while [[ $# -gt 0 ]]; do
  case "$1" in
    --bundle-meta) bundle_meta=${2:-}; shift ;;
    --pubkey) pubkey=${2:-}; shift ;;
    --tenant) tenant=${2:-}; shift ;;
    --environment) environment=${2:-}; shift ;;
    *) echo "Unknown arg $1" >&2; exit 2 ;;
  esac
  shift
done

[[ -z "$manifest" || -z "$bundle" ]] && { echo "manifest and bundle required" >&2; exit 2; }

args=("$manifest" "$bundle")
[[ -n "$bundle_meta" ]] && args+=("--bundle-meta" "$bundle_meta")
[[ -n "$pubkey" ]] && args+=("--pubkey" "$pubkey")
[[ -n "$tenant" ]] && args+=("--tenant" "$tenant")
[[ -n "$environment" ]] && args+=("--environment" "$environment")

python scripts/mirror/verify_thin_bundle.py "${args[@]}"

echo "Mirror bundle verification passed."