#!/usr/bin/env nu
# publish-ncl-lib.nu — Publish a Nickel library as an OCI artifact to Zot registry.
# Usage: nu publish-ncl-lib.nu --lib-dir <path> --registry <url> --name <name> --tag <tag>

def main [
  --lib-dir: string,   # directory containing the .ncl file
  --registry: string,  # OCI registry URL e.g. localhost:5000
  --name: string,      # library name e.g. stratum-base
  --tag: string,       # version tag e.g. 0.1.0
]: nothing -> nothing {
  print $"Publishing Nickel lib [$name]:[$tag] to [$registry]"

  let ncl_file = ($lib_dir | path join $"($name).ncl")

  # Step 1: typecheck
  let check = (do { ^nickel typecheck $ncl_file } | complete)
  if ($check.exit_code != 0) {
    error make { msg: $"nickel typecheck failed:\n($check.stderr)" }
  }
  print "typecheck passed"

  # Step 2: gitleaks secret scan
  let leak = (do { ^gitleaks detect --source $lib_dir --no-git } | complete)
  if ($leak.exit_code != 0) {
    error make { msg: $"gitleaks detected secrets in [$lib_dir]:\n($leak.stdout)" }
  }
  print "gitleaks clean"

  # Step 3: export JSON artifact
  let export_path = ($nu.temp-dir | path join $"($name)-export.json")
  let export = (do { ^nickel export --format json $ncl_file } | complete)
  if ($export.exit_code != 0) {
    error make { msg: $"nickel export failed:\n($export.stderr)" }
  }
  $export.stdout | save --force $export_path
  print $"nickel export → [$export_path]"

  # Step 4: sha256
  let sha_result = (do { ^sha256sum $export_path } | complete)
  if ($sha_result.exit_code != 0) {
    error make { msg: $"sha256sum failed: ($sha_result.stderr)" }
  }
  let sha = ($sha_result.stdout | split row " " | first)
  print $"sha256: [$sha]"

  # Step 5: oras push
  let image_ref = $"($registry)/($name):($tag)"
  let nickel_ver_result = (do { ^nickel --version } | complete)
  let nickel_ver = if ($nickel_ver_result.exit_code == 0) {
    $nickel_ver_result.stdout | str trim
  } else {
    "unknown"
  }

  let push = (do {
    ^oras push $image_ref
      $"($export_path):application/vnd.stratumiops.ncl.export.v1+json"
      --annotation $"org.stratumiops.lib.name=($name)"
      --annotation $"org.stratumiops.lib.sha256=($sha)"
      --annotation $"org.stratumiops.lib.tag=($tag)"
      --annotation $"org.stratumiops.lib.nickel-version=($nickel_ver)"
  } | complete)

  if ($push.exit_code != 0) {
    error make { msg: $"oras push failed:\n($push.stderr)" }
  }
  print $"pushed [$image_ref]"
}