#!/usr/bin/env bash
#
# Seed a realistic kit fixture for the jig agent-shape battery.
#
# Produces fixtures/agent-shape-realistic/ populated with:
#   - kit.toml: project-local config with cache_dir pointed at the
#     fixture's own cache (no global state pollution)
#   - cache/registries/primary/: nomograph-style first-party registry
#     with kit + synthesist + rune at tier `own`
#   - cache/registries/thirdparty/: third-party registry with ripgrep
#     and gh at low/high tiers; ripgrep here also exists in primary so
#     resolution precedence is exercisable
#   - cache/registries/scratch/: writable registry, initialized by
#     `kit init --registry`, available for any task that needs to add
#     a tool
#   - one pre-existing pin (gh @ 2.40.0) so unpin tasks have something
#     to act on
#   - one tampered checksum (synthesist macos-arm64) so verify-registry
#     surfaces a real failure
#
# Idempotent: wipes and rebuilds the fixture on every invocation so
# each trial starts from identical state. Fully offline: never reaches
# the network. Never touches ~/.config/kit or ~/.cache/kit.
#
# Usage: run by jig during fixture setup. Can also be run manually
# from any cwd; the script computes paths relative to itself.

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
FIXTURE_DIR="$REPO_ROOT/fixtures/agent-shape-realistic"
CACHE_DIR="$FIXTURE_DIR/cache"

# Hard reset.
rm -rf "$FIXTURE_DIR"
mkdir -p "$FIXTURE_DIR" "$CACHE_DIR/registries"

# --- project kit.toml -------------------------------------------------
# cache_dir points at the fixture's own cache so no global state is
# touched. Two readonly registries (primary, thirdparty) plus one
# writable scratch registry.
cat > "$FIXTURE_DIR/kit.toml" <<EOF
# Fixture project configuration. Generated by agent-shape-fixture.sh.

[settings]
cache_dir = "$CACHE_DIR"
verify_signatures = true

[[registry]]
name = "primary"
url = "https://gitlab.com/nomograph-fixture/primary.git"
branch = "main"
readonly = true

[[registry]]
name = "thirdparty"
url = "https://gitlab.com/nomograph-fixture/thirdparty.git"
branch = "main"
readonly = true

[[registry]]
name = "scratch"
url = "https://gitlab.com/nomograph-fixture/scratch.git"
branch = "main"
readonly = false

[pins.gh]
version = "2.40.0"
EOF

# --- helper: stamp a registry as a "cloned" git repo ------------------
# kit's resolve_tools only needs the directory to exist; ensure_registry
# (called by kit sync / kit diff) checks for .git and pulls. The
# fixture is offline so we just leave the dir without .git for the
# readonly registries -- kit status reads them fine. The scratch
# registry uses kit init --registry which initializes the structure
# we need for kit add to work.

mk_meta() {
  local dir="$1"
  local name="$2"
  local desc="$3"
  mkdir -p "$dir/tools"
  cat > "$dir/tools/_meta.toml" <<EOF
[registry]
name = "$name"
description = "$desc"
maintainer = "fixture@example.com"

[policy]
auto_merge_tiers = ["low"]
auto_merge_bump = ["patch", "minor"]
auto_merge_requires_checksum = true
EOF
}

# --- primary registry: first-party tools, tier `own` ------------------
PRIMARY="$CACHE_DIR/registries/primary"
mk_meta "$PRIMARY" "primary" "Fixture first-party registry"

cat > "$PRIMARY/tools/kit.toml" <<'EOF'
[tool]
name = "kit"
source = "gitlab"
project_id = 81000001
version = "0.11.0"
tag_prefix = "v"
bin = "kit"
tier = "own"

[tool.assets]
linux-x64 = "kit-linux-amd64"
macos-arm64 = "kit-darwin-arm64"

[tool.checksum]
file = "checksums.txt"
format = "sha256"

[tool.signature]
method = "cosign-keyless"
issuer = "https://gitlab.com"
identity = "https://gitlab.com/nomograph/kit"

[tool.checksums]
linux-x64 = "1111111111111111111111111111111111111111111111111111111111111111"
macos-arm64 = "2222222222222222222222222222222222222222222222222222222222222222"
EOF

cat > "$PRIMARY/tools/synthesist.toml" <<'EOF'
[tool]
name = "synthesist"
source = "gitlab"
project_id = 81000002
version = "2.1.1"
tag_prefix = "v"
bin = "synthesist"
tier = "own"

[tool.assets]
linux-x64 = "synthesist-linux-amd64"
macos-arm64 = "synthesist-darwin-arm64"

[tool.checksum]
file = "checksums.txt"
format = "sha256"

[tool.signature]
method = "cosign-keyless"
issuer = "https://gitlab.com"
identity = "https://gitlab.com/nomograph/synthesist"

# NOTE (fixture): macos-arm64 checksum is intentionally malformed
# (truncated, not 64 hex chars) so kit verify-registry surfaces a real
# offline failure for the diagnostic task. Do not "fix" the length.
[tool.checksums]
linux-x64 = "3333333333333333333333333333333333333333333333333333333333333333"
macos-arm64 = "deadbeef"
EOF

cat > "$PRIMARY/tools/rune.toml" <<'EOF'
[tool]
name = "rune"
source = "gitlab"
project_id = 81000003
version = "0.14.0"
tag_prefix = "v"
bin = "rune"
tier = "own"

[tool.assets]
linux-x64 = "rune-linux-amd64"
macos-arm64 = "rune-darwin-arm64"

[tool.checksum]
file = "checksums.txt"
format = "sha256"

[tool.signature]
method = "cosign-keyless"
issuer = "https://gitlab.com"
identity = "https://gitlab.com/nomograph/rune"

[tool.checksums]
linux-x64 = "4444444444444444444444444444444444444444444444444444444444444444"
macos-arm64 = "5555555555555555555555555555555555555555555555555555555555555555"
EOF

# Primary also defines ripgrep so resolution-precedence tasks have
# something to work with (primary wins over thirdparty).
cat > "$PRIMARY/tools/ripgrep.toml" <<'EOF'
[tool]
name = "ripgrep"
source = "github"
version = "15.1.0"
tag_prefix = ""
bin = "rg"
tier = "low"
repo = "BurntSushi/ripgrep"

[tool.assets]
linux-x64 = "ripgrep-{version}-x86_64-unknown-linux-musl.tar.gz"
macos-arm64 = "ripgrep-{version}-aarch64-apple-darwin.tar.gz"

[tool.checksums]
linux-x64 = "6666666666666666666666666666666666666666666666666666666666666666"
macos-arm64 = "7777777777777777777777777777777777777777777777777777777777777777"
EOF

# --- thirdparty registry: low/high tiers ------------------------------
THIRDPARTY="$CACHE_DIR/registries/thirdparty"
mk_meta "$THIRDPARTY" "thirdparty" "Fixture third-party registry"

cat > "$THIRDPARTY/tools/gh.toml" <<'EOF'
[tool]
name = "gh"
source = "github"
version = "2.74.0"
tag_prefix = "v"
bin = "gh"
tier = "high"
repo = "cli/cli"

[tool.assets]
linux-x64 = "gh_{version}_linux_amd64.tar.gz"
macos-arm64 = "gh_{version}_macOS_arm64.zip"

[tool.attestation]
method = "github"
repo = "cli/cli"

[tool.checksums]
linux-x64 = "8888888888888888888888888888888888888888888888888888888888888888"
macos-arm64 = "9999999999999999999999999999999999999999999999999999999999999999"
EOF

cat > "$THIRDPARTY/tools/ripgrep.toml" <<'EOF'
[tool]
name = "ripgrep"
source = "github"
version = "14.1.0"
tag_prefix = ""
bin = "rg"
tier = "low"
repo = "BurntSushi/ripgrep"

[tool.assets]
linux-x64 = "ripgrep-{version}-x86_64-unknown-linux-musl.tar.gz"
macos-arm64 = "ripgrep-{version}-aarch64-apple-darwin.tar.gz"

[tool.checksums]
linux-x64 = "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"
macos-arm64 = "bbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbbb"
EOF

cat > "$THIRDPARTY/tools/jq.toml" <<'EOF'
[tool]
name = "jq"
source = "github"
version = "1.7.1"
tag_prefix = "jq-"
bin = "jq"
tier = "low"
repo = "jqlang/jq"

[tool.assets]
linux-x64 = "jq-linux-amd64"
macos-arm64 = "jq-macos-arm64"

[tool.checksums]
linux-x64 = "cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc"
macos-arm64 = "dddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddddd"
EOF

# --- scratch registry: writable, real init layout ---------------------
# Built directly rather than via `kit init --registry` so the fixture
# stays offline-pure and structurally identical between runs.
SCRATCH="$CACHE_DIR/registries/scratch"
mk_meta "$SCRATCH" "scratch" "Fixture writable scratch registry"
cat > "$SCRATCH/.gitignore" <<'EOF'
updates.json
updates.json.sha256
evaluated.json
evaluated.json.sha256
sense-report.json
sense-report.json.sha256
__pycache__/
EOF

# --- sanity check -----------------------------------------------------
# Fail loudly if the fixture didn't produce the expected files. Easier
# to debug here than in a jig trial transcript.
test -f "$FIXTURE_DIR/kit.toml"
test -f "$PRIMARY/tools/_meta.toml"
test -f "$PRIMARY/tools/synthesist.toml"
test -f "$THIRDPARTY/tools/gh.toml"
test -f "$THIRDPARTY/tools/ripgrep.toml"
test -f "$SCRATCH/tools/_meta.toml"

echo "fixture seeded at $FIXTURE_DIR"