#!/usr/bin/env bash
set -euo pipefail

usage() {
  cat <<'EOF'
Usage: scripts/package_verified_crx.sh [--key FILE.gpg] [--browser COMMAND] [--out FILE.crx]

Builds the Chrome Web Store package and creates a CRX signed with the dedicated
verified-upload RSA key. The RSA private key is expected to be GPG-encrypted.

Environment alternatives:
  VERIFIED_CRX_KEY_GPG   Path to encrypted RSA private key
  CHROME_FOR_PACKING     Browser command with --pack-extension support
EOF
}

key_gpg="${VERIFIED_CRX_KEY_GPG:-secrets/verified-crx/chrome-webstore-verified-crx-private-key.pem.gpg}"
browser_cmd="${CHROME_FOR_PACKING:-}"
out=""

while [[ $# -gt 0 ]]; do
  case "$1" in
    --key)
      key_gpg="${2:-}"
      shift 2
      ;;
    --browser)
      browser_cmd="${2:-}"
      shift 2
      ;;
    --out)
      out="${2:-}"
      shift 2
      ;;
    -h|--help)
      usage
      exit 0
      ;;
    *)
      echo "Unknown argument: $1" >&2
      usage >&2
      exit 2
      ;;
  esac
done

if [[ ! -f "$key_gpg" ]]; then
  echo "Encrypted verified CRX key not found: $key_gpg" >&2
  echo "Create it with: scripts/setup_verified_crx_key.sh --recipient '<your GPG key>'" >&2
  exit 1
fi

if [[ -z "$browser_cmd" ]]; then
  for candidate in google-chrome chrome chromium chromium-browser brave-browser brave; do
    if command -v "$candidate" >/dev/null 2>&1; then
      browser_cmd="$candidate"
      break
    fi
  done
fi

if [[ -z "$browser_cmd" ]]; then
  echo "No Chromium-based browser with --pack-extension found. Pass --browser or set CHROME_FOR_PACKING." >&2
  exit 1
fi

version="$(python - <<'PY'
import json
from pathlib import Path
print(json.loads(Path('extension/manifest.json').read_text())['version'])
PY
)"
out="${out:-dist/browser-cli-extension-webstore-verified-v${version}.crx}"

npm run build:extension
python scripts/package_extension.py --webstore --out "dist/browser-cli-extension-webstore-v${version}.zip" >/dev/null

staging="$PWD/dist/extension-package-webstore"
if [[ ! -d "$staging" ]]; then
  echo "Missing webstore staging directory: $staging" >&2
  exit 1
fi

tmp_dir="$(mktemp -d)"
private_key="$tmp_dir/verified-crx-private-key.pem"
trap 'rm -rf "$tmp_dir"' EXIT

gpg --decrypt --output "$private_key" "$key_gpg"
chmod 600 "$private_key"

rm -f "$staging.crx"
"$browser_cmd" \
  --pack-extension="$staging" \
  --pack-extension-key="$private_key" \
  --no-message-box \
  --disable-gpu \
  --no-sandbox >/dev/null

mkdir -p "$(dirname "$out")"
mv "$staging.crx" "$out"

echo "$out"