#!/usr/bin/env bash
set -euo pipefail

# DEVOPS-ATTEST-74-002: package attestation outputs into an offline bundle with checksums.

if [[ $# -lt 1 ]]; then
  echo "Usage: $0 <attest-dir> [bundle-out]" >&2
  exit 64
fi

ATTEST_DIR=$1
BUNDLE_OUT=${2:-"out/attest-bundles"}

if [[ ! -d "$ATTEST_DIR" ]]; then
  echo "[attest-bundle] attestation directory not found: $ATTEST_DIR" >&2
  exit 66
fi

mkdir -p "$BUNDLE_OUT"

TS=$(date -u +"%Y%m%dT%H%M%SZ")
BUNDLE_NAME="attestation-bundle-${TS}"
WORK_DIR="${BUNDLE_OUT}/${BUNDLE_NAME}"
mkdir -p "$WORK_DIR"

copy_if_exists() {
  local pattern="$1"
  shopt -s nullglob
  local files=("$ATTEST_DIR"/$pattern)
  if (( ${#files[@]} > 0 )); then
    cp "${files[@]}" "$WORK_DIR/"
  fi
  shopt -u nullglob
}

# Collect common attestation artefacts
copy_if_exists "*.dsse.json"
copy_if_exists "*.in-toto.jsonl"
copy_if_exists "*.sarif"
copy_if_exists "*.intoto.json"
copy_if_exists "*.rekor.txt"
copy_if_exists "*.sig"
copy_if_exists "*.crt"
copy_if_exists "*.pem"
copy_if_exists "*.json"

# Manifest
cat > "${WORK_DIR}/manifest.json" <<EOF
{
  "created_at": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
  "source_dir": "${ATTEST_DIR}",
  "files": $(ls -1 "${WORK_DIR}" | jq -R . | jq -s .)
}
EOF

# Checksums
(
  cd "$WORK_DIR"
  sha256sum * > SHA256SUMS
)

tar -C "$BUNDLE_OUT" -czf "${WORK_DIR}.tgz" "${BUNDLE_NAME}"
echo "[attest-bundle] bundle created at ${WORK_DIR}.tgz"