#!/usr/bin/env bash
set -euo pipefail
# shellcheck disable=SC2329

# =============================================================================
# phase9_post_check.sh — Verify Phase 9 (Security Scanning) succeeded
# Checks for each repo:
#   1. security-scan.yml exists in .gitea/workflows/
#   2. If SECURITY_FAIL_ON_ERROR=true, branch protection includes security checks
# Exits 0 only if ALL checks pass.
# =============================================================================

SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
source "${SCRIPT_DIR}/lib/common.sh"

load_env
require_vars GITEA_ADMIN_TOKEN GITEA_INTERNAL_URL GITEA_ORG_NAME \
             REPO_NAMES \
             SECURITY_FAIL_ON_ERROR PROTECTED_BRANCH

log_info "=== Phase 9 Post-Check ==="

read -ra REPOS <<< "$REPO_NAMES"
PASS=0
FAIL=0

run_check() {
  local description="$1"; shift
  if "$@" 2>/dev/null; then
    log_success "$description"
    PASS=$((PASS + 1))
  else
    log_error "FAIL: $description"
    FAIL=$((FAIL + 1))
  fi
}

for repo in "${REPOS[@]}"; do
  log_info "--- Checking repo: ${repo} ---"

  # Check 1: security-scan.yml exists
  # shellcheck disable=SC2329
  check_workflow_exists() {
    gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/contents/.gitea/workflows/security-scan.yml" >/dev/null
  }
  run_check "security-scan.yml exists in ${repo}" check_workflow_exists "$repo"

  # Check 2: Branch protection includes security checks (if required)
  if [[ "$SECURITY_FAIL_ON_ERROR" == "true" ]]; then
    # shellcheck disable=SC2329
    check_status_checks() {
      local protection
      protection=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/branch_protections/${PROTECTED_BRANCH}")
      local contexts
      contexts=$(printf '%s' "$protection" | jq -r '.status_check_contexts // [] | join(",")')
      # Verify all three security checks are present
      [[ "$contexts" == *"semgrep"* ]] && [[ "$contexts" == *"trivy"* ]] && [[ "$contexts" == *"gitleaks"* ]]
    }
    run_check "Branch protection includes security checks for ${repo}" check_status_checks "$repo"
  fi
done

# Summary
printf '\n'
log_info "Results: ${PASS} passed, ${FAIL} failed"

if [[ $FAIL -gt 0 ]]; then
  log_error "Phase 9 post-check FAILED"
  exit 1
else
  log_success "Phase 9 post-check PASSED — security scanning active"
  exit 0
fi