#!/usr/bin/env bash
# ─────────────────────────────────────────────────────────────────────────────
# upload_apk.sh — push a built APK to bee.cuilabs.io via the admin route.
#
# Lighter-weight alternative to apps/mobile/scripts/release-android.sh:
# it does NOT build, sign, bump versions, or rewrite vercel.json. It
# assumes you already have a signed APK on disk and just pushes it to
# /api/admin/upload-apk, which uploads to Vercel Blob and inserts a
# row into public.apk_releases. /download reads the latest row.
#
# Usage:
#   APK_UPLOAD_SECRET=… ./scripts/upload_apk.sh \
#     apps/mobile/android/app/build/outputs/apk/release/app-release.apk \
#     0.1.0 6
#
# Required env:
#   APK_UPLOAD_SECRET   — Bearer token, must equal Vercel project env
#
# Optional env:
#   BEE_WEB_BASE_URL    — defaults to https://bee.cuilabs.io
#   APK_NOTES           — release notes string
# ─────────────────────────────────────────────────────────────────────────────
set -euo pipefail

APK="${1:?usage: upload_apk.sh <apk-path> <versionName> <versionCode>}"
VERSION_NAME="${2:?usage: upload_apk.sh <apk-path> <versionName> <versionCode>}"
VERSION_CODE="${3:?usage: upload_apk.sh <apk-path> <versionName> <versionCode>}"

if [ ! -f "$APK" ]; then
  echo "no APK at $APK" >&2
  exit 1
fi
if [ -z "${APK_UPLOAD_SECRET:-}" ]; then
  echo "APK_UPLOAD_SECRET not set" >&2
  exit 1
fi
if ! command -v shasum >/dev/null 2>&1; then
  echo "shasum not found" >&2
  exit 1
fi
if ! command -v curl >/dev/null 2>&1; then
  echo "curl not found" >&2
  exit 1
fi

BASE="${BEE_WEB_BASE_URL:-https://bee.cuilabs.io}"
SHA256=$(shasum -a 256 "$APK" | awk '{print toupper($1)}')

# Capture the short git SHA when this is a git checkout. set -e is on,
# so we explicitly probe with `command -v` and `git rev-parse` rather
# than swallow the exit code with shell short-circuit operators
# (forbidden by scripts/quality/check_honesty.py).
if command -v git >/dev/null 2>&1 && git rev-parse --short HEAD >/dev/null 2>&1; then
  GIT_SHA=$(git rev-parse --short HEAD)
else
  GIT_SHA=""
fi

# stat is BSD on macOS, GNU on Linux — different flag set. Probe each.
if SIZE=$(stat -f%z "$APK" 2>/dev/null); then
  :
elif SIZE=$(stat -c%s "$APK" 2>/dev/null); then
  :
else
  echo "could not stat $APK" >&2
  exit 1
fi

echo "→ uploading $APK ($SIZE bytes)"
echo "  version : $VERSION_NAME (build $VERSION_CODE)"
echo "  sha256  : $SHA256"
echo "  git     : ${GIT_SHA:-<not a git checkout>}"
echo "  target  : $BASE/api/admin/upload-apk"

curl -fsSL --fail-with-body -X POST "$BASE/api/admin/upload-apk" \
  -H "Authorization: Bearer $APK_UPLOAD_SECRET" \
  -F "apk=@${APK};type=application/vnd.android.package-archive" \
  -F "versionName=$VERSION_NAME" \
  -F "versionCode=$VERSION_CODE" \
  -F "sha256=$SHA256" \
  -F "gitSha=$GIT_SHA" \
  -F "notes=${APK_NOTES:-}"
echo
echo "✓ uploaded — verify at $BASE/download"