# Clavis — build pipeline
# FIPS 140-3: BoringCrypto via GOEXPERIMENT=boringcrypto
# Requires Go 1.24+ (verified: go1.24.0)
#
# Usage:
#   make deploy            — build + test + restart vault
#   make deploy-vault      — build + test + restart vault only
#   make cli               — build CLI binary
#   make status            — check what's running

GOEXPERIMENT := boringcrypto
export GOEXPERIMENT

VAULT_DIR   := clavis-vault
CLI_DIR     := clavis-cli
CRYPTO_DIR  := clavis-crypto

VAULT_BIN   := $(VAULT_DIR)/clavitor
CLI_BIN     := $(CLI_DIR)/clavis-cli

VAULT_ENTRY := ./cmd/clavitor

LDFLAGS     := -s -w
GOFLAGS     := -trimpath

.PHONY: all vault cli test clean deploy deploy-vault \
        restart restart-vault stop stop-vault status verify-fips

# --- build ---

all: vault cli

vault:
	cp $(CRYPTO_DIR)/*.js $(VAULT_DIR)/cmd/clavitor/web/ 2>/dev/null || true
	sed -i 's/__BUILD_TIME__/$(shell date -u +%Y%m%d-%H%M%S)/' $(VAULT_DIR)/cmd/clavitor/web/index.html 2>/dev/null || true
	cd $(VAULT_DIR) && go build $(GOFLAGS) -ldflags '$(LDFLAGS)' -o clavitor $(VAULT_ENTRY)
	@echo "built $(VAULT_BIN) (FIPS)"

cli:
	$(MAKE) -C $(CLI_DIR)
	@strip $(CLI_BIN) 2>/dev/null || true
	@echo "built $(CLI_BIN) ($$(wc -c < $(CLI_BIN)) bytes, stripped)"

# --- test ---

test:
	cd $(VAULT_DIR) && go test ./api/... -v

# --- deploy ---

deploy: vault cli test verify-fips restart-vault
	@echo "--- deployed ---"

deploy-vault: vault test verify-fips restart-vault
	@echo "--- vault deployed ---"

# --- verify ---

verify-fips: verify-fips-vault

verify-fips-vault:
	@go version -m $(VAULT_BIN) | grep -q 'GOEXPERIMENT=boringcrypto' && echo "vault: FIPS 140-3 (BoringCrypto) ✓" || { echo "vault: BoringCrypto NOT linked ✗"; exit 1; }

# --- process management ---

stop-vault:
	@pkill -f './clavitor$$' 2>/dev/null || pkill -f 'clavis-vault/clavitor$$' 2>/dev/null || true
	@sleep 0.5

stop: stop-vault

restart-vault: stop-vault
	cd $(VAULT_DIR) && set -a && . ./.env && set +a && nohup ./clavitor > /tmp/clavis-vault.log 2>&1 &
	@sleep 1
	@ss -tlnp | grep -q ':1984' && echo "vault running on :1984 ✓" || { echo "vault failed to start ✗"; cat /tmp/clavis-vault.log; exit 1; }

restart: restart-vault

status:
	@echo "--- processes ---"
	@ps aux | grep -E '(clavitor|clavis)' | grep -v grep || echo "nothing running"
	@echo "--- ports ---"
	@ss -tlnp | grep -E ':1984' || echo "no vault port open"
	@echo "--- fips ---"
	@go version -m $(VAULT_BIN) 2>/dev/null | grep -q 'GOEXPERIMENT=boringcrypto' && echo "vault: FIPS ✓" || echo "vault: not built or no FIPS"

# --- logs ---

logs-vault:
	@tail -f /tmp/clavis-vault.log

# --- clean ---

clean:
	rm -f $(VAULT_BIN)
	-$(MAKE) -C $(CLI_DIR) clean 2>/dev/null || true