#!/usr/bin/env bash
set -euo pipefail
# shellcheck disable=SC2329

# =============================================================================
# phase7_post_check.sh — Verify Phase 7 (Branch Protection) succeeded
# Checks for each repo:
#   1. Branch protection rule exists for PROTECTED_BRANCH
#   2. Push is blocked (enable_push is false)
# Exits 0 only if ALL checks pass.
# =============================================================================

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "${SCRIPT_DIR}/lib/common.sh"

load_env
require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \
             REPO_NAMES PROTECTED_BRANCH

log_info "=== Phase 7 Post-Check ==="

read -ra REPOS <<< "$REPO_NAMES"
PASS=0
FAIL=0

run_check() {
  local description="$1"; shift
  if "$@" 2>/dev/null; then
    log_success "$description"
    PASS=$((PASS + 1))
  else
    log_error "FAIL: $description"
    FAIL=$((FAIL + 1))
  fi
}

for repo in "${REPOS[@]}"; do
  log_info "--- Checking repo: ${repo} ---"

  # Check 1: Protection rule exists
  # shellcheck disable=SC2329
  check_protection_exists() {
    gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/branch_protections/${PROTECTED_BRANCH}" >/dev/null
  }
  run_check "Branch protection exists for '${PROTECTED_BRANCH}' on ${repo}" check_protection_exists "$repo"

  # Check 2: Push is blocked (enable_push should be false)
  # shellcheck disable=SC2329
  check_push_blocked() {
    local protection
    protection=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/${repo}/branch_protections/${PROTECTED_BRANCH}")
    local enable_push
    enable_push=$(printf '%s' "$protection" | jq -r '.enable_push')
    [[ "$enable_push" == "false" ]]
  }
  run_check "Direct push blocked on '${PROTECTED_BRANCH}' for ${repo}" check_push_blocked
done

# Summary
printf '\n'
log_info "Results: ${PASS} passed, ${FAIL} failed"

if [[ $FAIL -gt 0 ]]; then
  log_error "Phase 7 post-check FAILED"
  exit 1
else
  log_success "Phase 7 post-check PASSED — branch protection active"
  exit 0
fi