#!/usr/bin/env bash
set -euo pipefail

# DEVOPS-CLI-41-001: Build multi-platform CLI binaries with SBOM and checksums.

RIDS="${RIDS:-linux-x64,win-x64,osx-arm64}"
CONFIG="${CONFIG:-Release}"
PROJECT="src/Cli/StellaOps.Cli/StellaOps.Cli.csproj"
OUT_ROOT="out/cli"
SBOM_TOOL="${SBOM_TOOL:-syft}" # syft|none
SIGN="${SIGN:-false}"
COSIGN_KEY="${COSIGN_KEY:-}"

IFS=',' read -ra TARGETS <<< "$RIDS"

mkdir -p "$OUT_ROOT"

if ! command -v dotnet >/dev/null 2>&1; then
  echo "[cli-build] dotnet CLI not found" >&2
  exit 69
fi

generate_sbom() {
  local dir="$1"
  local sbom="$2"
  if [[ "$SBOM_TOOL" == "syft" ]] && command -v syft >/dev/null 2>&1; then
    syft "dir:${dir}" -o json > "$sbom"
  fi
}

sign_file() {
  local file="$1"
  if [[ "$SIGN" == "true" && -n "$COSIGN_KEY" && -x "$(command -v cosign || true)" ]]; then
    COSIGN_EXPERIMENTAL=1 cosign sign-blob --key "$COSIGN_KEY" --output-signature "${file}.sig" "$file"
  fi
}

for rid in "${TARGETS[@]}"; do
  echo "[cli-build] publishing for $rid"
  out_dir="${OUT_ROOT}/${rid}"
  publish_dir="${out_dir}/publish"
  mkdir -p "$publish_dir"

  dotnet publish "$PROJECT" -c "$CONFIG" -r "$rid" \
    -o "$publish_dir" \
    --self-contained true \
    -p:PublishSingleFile=true \
    -p:PublishTrimmed=false \
    -p:DebugType=None \
    >/dev/null

  # Package
  archive_ext="tar.gz"
  archive_cmd=(tar -C "$publish_dir" -czf)
  if [[ "$rid" == win-* ]]; then
    archive_ext="zip"
    archive_cmd=(zip -jr)
  fi

  archive_name="stella-cli-${rid}.${archive_ext}"
  archive_path="${out_dir}/${archive_name}"
  "${archive_cmd[@]}" "$archive_path" "$publish_dir"

  sha256sum "$archive_path" > "${archive_path}.sha256"
  sign_file "$archive_path"

  # SBOM
  generate_sbom "$publish_dir" "${archive_path}.sbom.json"
done

# Build manifest
manifest="${OUT_ROOT}/manifest.json"
cat > "$manifest" <<EOF
{
  "generated_at": "$(date -u +"%Y-%m-%dT%H:%M:%SZ")",
  "config": "$CONFIG",
  "rids": [$(printf '"%s",' "${TARGETS[@]}" | sed 's/,$//')],
  "artifacts_root": "$OUT_ROOT"
}
EOF

echo "[cli-build] artifacts in $OUT_ROOT"