#!/usr/bin/env bash
set -euo pipefail

# Minimal offline verifier for telemetry bundles (v1)
# Exits:
#  0  success
#  21 checksum/manifest missing
#  22 checksum mismatch
#  23 schema validation failed

BUNDLE=${1:-}
SCHEMA_PATH=${TELEMETRY_BUNDLE_SCHEMA:-}

if [[ -z "$BUNDLE" ]]; then
  echo "Usage: $0 path/to/telemetry-bundle.tar" >&2
  echo "Optional: set TELEMETRY_BUNDLE_SCHEMA=/abs/path/to/telemetry-bundle.schema.json" >&2
  exit 64
fi

WORKDIR=$(mktemp -d)
cleanup() { rm -rf "$WORKDIR"; }
trap cleanup EXIT

tar --extract --file "$BUNDLE" --directory "$WORKDIR"

MANIFEST="$WORKDIR/telemetry-bundle.json"
HASHES="$WORKDIR/telemetry-bundle.sha256"

if [[ ! -f "$MANIFEST" || ! -f "$HASHES" ]]; then
  echo "Missing manifest or checksum file." >&2
  exit 21
fi

# Verify checksums
pushd "$WORKDIR" >/dev/null
if ! sha256sum --quiet --check telemetry-bundle.sha256; then
  echo "Checksum mismatch." >&2
  exit 22
fi
popd >/dev/null

# JSON schema validation (optional if jsonschema not present).
if command -v python >/dev/null 2>&1; then
  SCHEMA_FILE="$SCHEMA_PATH"
  if [[ -z "$SCHEMA_FILE" ]]; then
    SCHEMA_DIR="$(cd "$(dirname "$0")/../../docs/modules/telemetry/schemas" 2>/dev/null || echo "")"
    SCHEMA_FILE="$SCHEMA_DIR/telemetry-bundle.schema.json"
  fi

  if [[ -n "$SCHEMA_FILE" && -f "$SCHEMA_FILE" ]]; then
    python - "$MANIFEST" "$SCHEMA_FILE" <<'PY'
import json, sys
from jsonschema import validate, Draft202012Validator

manifest_path = sys.argv[1]
schema_path = sys.argv[2]
with open(manifest_path, 'r', encoding='utf-8') as f:
    manifest = json.load(f)
with open(schema_path, 'r', encoding='utf-8') as f:
    schema = json.load(f)
Draft202012Validator.check_schema(schema)
validate(manifest, schema)
PY
    if [[ $? -ne 0 ]]; then
      echo "Schema validation failed." >&2
      exit 23
    fi
  else
    echo "Schema file not found ($SCHEMA_FILE); skipping validation." >&2
  fi
else
  echo "jsonschema validation skipped (requires python + jsonschema)." >&2
fi

echo "Telemetry bundle verified." >&2
exit 0