#!/usr/bin/env bash
set -euo pipefail

TARGET_ROOT="${1:-.}"
BLACKSHIELD_API_URL="${BLACKSHIELD_API_URL:-https://api.blackshield.chaplau.com}"
BLACKSHIELD_POLICY_IMAGE="${BLACKSHIELD_POLICY_IMAGE:-public.ecr.aws/blackshield-security/policy-client:1.0.0}"

replace_literal() {
  local file_path="$1"
  local placeholder="$2"
  local replacement="$3"
  local tmp_file="${file_path}.tmp.$$"

  sed "s|${placeholder}|${replacement}|g" "$file_path" > "$tmp_file"
  mv "$tmp_file" "$file_path"
}

mkdir -p "$TARGET_ROOT/.gitlab"
cat > "$TARGET_ROOT/.gitlab/deploy-guardrails.yml" <<'EOF'
deploy-guardrails:
  stage: deploy
  image: __BLACKSHIELD_POLICY_IMAGE__
  script:
    - python -m policy.entrypoint
  variables:
    BLACKSHIELD_API_URL: "https://api.blackshield.chaplau.com"
    # Set BLACKSHIELD_API_KEY in Settings -> CI/CD -> Variables (masked + protected)
    POLICY_SERVICE_ID: "payment-gateway"
    POLICY_TARGET_ENVIRONMENT: "prod"
    POLICY_REPOSITORY: "$CI_PROJECT_PATH"
    POLICY_ARTIFACT: "$CI_REGISTRY_IMAGE:$CI_COMMIT_SHA"
    POLICY_COMMIT_SHA: "$CI_COMMIT_SHA"
    POLICY_BRANCH: "$CI_COMMIT_REF_NAME"
    POLICY_ACTOR: "$GITLAB_USER_LOGIN"
    POLICY_DEPLOYMENT_TARGET: "production-cluster-a"
    POLICY_CONTEXT_JSON: '{"reviewer":"$GITLAB_USER_LOGIN","pipeline":"deploy-production"}'
  rules:
    - if: $CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH
    - if: $CI_PIPELINE_SOURCE == "web"
EOF

replace_literal "$TARGET_ROOT/.gitlab/deploy-guardrails.yml" "https://api.blackshield.chaplau.com" "$BLACKSHIELD_API_URL"
replace_literal "$TARGET_ROOT/.gitlab/deploy-guardrails.yml" "__BLACKSHIELD_POLICY_IMAGE__" "$BLACKSHIELD_POLICY_IMAGE"

printf "Wrote source bundle files:\n"
printf "  - %s\n" "$TARGET_ROOT/.gitlab/deploy-guardrails.yml"