#!/bin/sh
# weldctl installer — https://cli.cloud.naasson.com/install.sh
# Usage: curl -fsSL https://cli.cloud.naasson.com/install.sh | sh
#
# Environment overrides:
#   WELDCTL_VERSION    — release tag (default: latest)
#   WELDCTL_INSTALL_DIR — install path (default: /usr/local/bin)
#   WELDCTL_HOST        — release hosting base URL
#
# Verification: SHA-256 checksum is mandatory; cosign signature is verified
# when `cosign` is available. There is no silent fallback — if checksums fail,
# the script exits non-zero and does not install anything.

set -eu

REPO="naasson-2026/devops-cli"
HOST="${WELDCTL_HOST:-https://gitlab.com/$REPO/-/releases}"
VERSION="${WELDCTL_VERSION:-latest}"
INSTALL_DIR="${WELDCTL_INSTALL_DIR:-/usr/local/bin}"

err()  { printf '\033[31merror:\033[0m %s\n' "$*" >&2; exit 1; }
warn() { printf '\033[33mwarning:\033[0m %s\n' "$*" >&2; }
info() { printf '\033[32m==>\033[0m %s\n' "$*"; }

# Detect OS/arch.
os=$(uname -s | tr '[:upper:]' '[:lower:]')
arch=$(uname -m)
case "$arch" in
    x86_64|amd64) arch=amd64 ;;
    arm64|aarch64) arch=arm64 ;;
    *) err "unsupported arch: $arch (only amd64/arm64 are released)" ;;
esac
case "$os" in
    linux|darwin) ;;
    *) err "unsupported os: $os (only linux/darwin via install.sh; Windows: use scoop bucket)" ;;
esac

# Detect a working sha256 tool. macOS ships shasum; Linux ships sha256sum.
if command -v sha256sum >/dev/null 2>&1; then
    SHA="sha256sum"
elif command -v shasum >/dev/null 2>&1; then
    SHA="shasum -a 256"
else
    err "neither sha256sum nor shasum found — cannot verify checksum"
fi

# Resolve install dir + sudo strategy.
SUDO=""
if [ ! -d "$INSTALL_DIR" ]; then
    err "$INSTALL_DIR does not exist; create it or set WELDCTL_INSTALL_DIR"
fi
if [ ! -w "$INSTALL_DIR" ]; then
    if command -v sudo >/dev/null 2>&1; then
        SUDO=sudo
    else
        err "$INSTALL_DIR is not writable and sudo is unavailable; set WELDCTL_INSTALL_DIR=\$HOME/.local/bin"
    fi
fi

# Build URLs.
URL_BASE="$HOST/$VERSION/downloads"
ARCHIVE="weldctl_${VERSION#v}_${os}_${arch}.tar.gz"
[ "$VERSION" = "latest" ] && ARCHIVE="weldctl-${os}-${arch}.tar.gz"
URL="$URL_BASE/$ARCHIVE"
SUMS_URL="$URL_BASE/checksums.txt"

TMP=$(mktemp -d)
trap 'rm -rf "$TMP"' EXIT

info "Downloading $URL"
curl -fsSL "$URL" -o "$TMP/weldctl.tar.gz" || err "download failed; check $URL"
curl -fsSL "$SUMS_URL" -o "$TMP/checksums.txt" || err "checksum manifest download failed; refusing to install unverified binary"

info "Verifying SHA-256 checksum"
expected=$(grep "  $ARCHIVE\$" "$TMP/checksums.txt" | awk '{print $1}')
[ -z "$expected" ] && err "no checksum entry for $ARCHIVE in $SUMS_URL"
actual=$($SHA "$TMP/weldctl.tar.gz" | awk '{print $1}')
[ "$expected" = "$actual" ] || err "checksum mismatch — expected=$expected actual=$actual; DO NOT install"

# Optional cosign verification.
if command -v cosign >/dev/null 2>&1; then
    info "Verifying cosign signature"
    curl -fsSL "$URL.sig" -o "$TMP/weldctl.sig" || err "signature download failed"
    cosign verify-blob \
        --certificate-identity-regexp '^https://gitlab\.com/' \
        --certificate-oidc-issuer https://gitlab.com \
        --signature "$TMP/weldctl.sig" \
        "$TMP/weldctl.tar.gz" \
        || err "cosign signature verification failed"
else
    warn "cosign not installed — skipping signature verification"
    warn "  install:  brew install cosign  (or: go install github.com/sigstore/cosign/v2/cmd/cosign@latest)"
fi

# Extract.
info "Extracting"
tar -C "$TMP" -xzf "$TMP/weldctl.tar.gz"
[ -f "$TMP/weldctl" ] || err "weldctl binary not found in archive"

info "Installing to $INSTALL_DIR/weldctl"
chmod +x "$TMP/weldctl"
$SUDO mv "$TMP/weldctl" "$INSTALL_DIR/weldctl"

if ! command -v weldctl >/dev/null 2>&1; then
    err "weldctl not found in PATH after install — add $INSTALL_DIR to PATH"
fi

weldctl version
info "Installed. Try: weldctl init"