inou/Makefile

# Inou Build System
# Run on .253: make deploy (staging), make deploy-prod (production)

VERSION := 1.0.0
PROD_HOST := johan@192.168.100.2
BUILD_TIME := $(shell date '+%Y-%m-%d %H:%M:%S')
LDFLAGS := -ldflags "-X main.Version=$(VERSION) -X 'main.BuildTime=$(BUILD_TIME)'"

# FIPS 140-3 compliance
FIPS := GOFIPS140=v1.0.0

BINDIR := bin
DEPLOY_DIR := /tank/inou

.PHONY: all clean deploy deploy-prod sync linux lab tools help list fips-check check-db test test-rbac import-dicom import-genome decrypt

# Default: build everything
all: linux lab $(BINDIR)/import-genome $(BINDIR)/import-dicom

# Linux binaries (native, FIPS)
linux: $(BINDIR)/viewer $(BINDIR)/portal $(BINDIR)/api

$(BINDIR)/viewer: ./viewer/*.go ./lib/*.go | $(BINDIR)
	$(FIPS) go build $(LDFLAGS) -o $@ ./viewer

$(BINDIR)/portal: ./portal/*.go ./lib/*.go | $(BINDIR)
	$(FIPS) go build $(LDFLAGS) -o $@ ./portal

$(BINDIR)/api: ./api/*.go ./lib/*.go | $(BINDIR)
	$(FIPS) go build $(LDFLAGS) -o $@ ./api

# Lab utilities
lab: $(BINDIR)/lab-scrape $(BINDIR)/lab-import

$(BINDIR)/lab-scrape: ./scrape_mychart/main.go | $(BINDIR)
	$(FIPS) go build $(LDFLAGS) -o $@ ./scrape_mychart/main.go

$(BINDIR)/lab-import: ./scrape_mychart/import.go | $(BINDIR)
	$(FIPS) go build $(LDFLAGS) -o $@ ./scrape_mychart/import.go

# Genome import tool
import-genome: $(BINDIR)/import-genome
$(BINDIR)/import-genome: ./import-genome/*.go ./lib/*.go | $(BINDIR)
	$(FIPS) go build $(LDFLAGS) -o $@ ./import-genome

# DICOM import tool
import-dicom: $(BINDIR)/import-dicom
$(BINDIR)/import-dicom: ./import_dicom/*.go ./lib/*.go | $(BINDIR)
	$(FIPS) go build $(LDFLAGS) -o $@ ./import_dicom

# Debug tools (no FIPS needed)
tools: $(BINDIR)/decrypt $(BINDIR)/fips-check

decrypt: $(BINDIR)/decrypt
$(BINDIR)/decrypt: ./tools/decrypt/*.go ./lib/*.go | $(BINDIR)
	go build -o $@ ./tools/decrypt

fips-check: $(BINDIR)/fips-check
$(BINDIR)/fips-check: ./tools/fips-check/*.go | $(BINDIR)
	go build -o $@ ./tools/fips-check

# Ensure bin directory exists
$(BINDIR):
	mkdir -p $(BINDIR)

# Check for forbidden direct database access
check-db:
	@./scripts/check-db-access.sh

# Run integration tests (requires services running)
test:
	@./scripts/test-integration.sh

# Run RBAC tests (requires API running)
test-rbac:
	@./scripts/test-rbac.sh

# Deploy to production (builds, copies, restarts)
# Runs check-db FIRST to prevent deploying code with direct DB access
deploy: check-db all $(BINDIR)/decrypt $(BINDIR)/fips-check
	$(DEPLOY_DIR)/stop.sh
	mkdir -p $(DEPLOY_DIR)/bin
	mkdir -p $(DEPLOY_DIR)/templates
	mkdir -p $(DEPLOY_DIR)/static
	cp $(BINDIR)/viewer $(DEPLOY_DIR)/bin/
	cp $(BINDIR)/portal $(DEPLOY_DIR)/bin/
	cp $(BINDIR)/api $(DEPLOY_DIR)/bin/
	cp $(BINDIR)/import-genome $(DEPLOY_DIR)/bin/
	cp $(BINDIR)/import-dicom $(DEPLOY_DIR)/bin/
	cp $(BINDIR)/decrypt $(DEPLOY_DIR)/bin/
	cp $(BINDIR)/fips-check $(DEPLOY_DIR)/bin/
	cp $(BINDIR)/lab-* $(DEPLOY_DIR)/bin/ 2>/dev/null || true
	rsync -av --delete portal/templates/ $(DEPLOY_DIR)/templates/
	rsync -av portal/static/ $(DEPLOY_DIR)/static/
	rsync -av portal/lang/ $(DEPLOY_DIR)/lang/
	$(DEPLOY_DIR)/start.sh
	@echo ""
	$(DEPLOY_DIR)/status.sh

# Deploy to PRODUCTION (builds locally, copies to prod, restarts)
# This is a SEPARATE action from staging deploy - requires explicit invocation
deploy-prod: check-db all $(BINDIR)/decrypt $(BINDIR)/fips-check
	@echo "=== Deploying to PRODUCTION ($(PROD_HOST)) ==="
	ssh $(PROD_HOST) "$(DEPLOY_DIR)/stop.sh"
	ssh $(PROD_HOST) "mkdir -p $(DEPLOY_DIR)/bin $(DEPLOY_DIR)/templates $(DEPLOY_DIR)/static $(DEPLOY_DIR)/lang"
	scp $(BINDIR)/viewer $(BINDIR)/portal $(BINDIR)/api $(PROD_HOST):$(DEPLOY_DIR)/bin/
	scp $(BINDIR)/import-genome $(BINDIR)/import-dicom $(BINDIR)/fips-check $(PROD_HOST):$(DEPLOY_DIR)/bin/
	scp $(BINDIR)/lab-* $(PROD_HOST):$(DEPLOY_DIR)/bin/ 2>/dev/null || true
	rsync -avz --delete portal/templates/ $(PROD_HOST):$(DEPLOY_DIR)/templates/
	rsync -avz portal/static/ $(PROD_HOST):$(DEPLOY_DIR)/static/
	rsync -avz portal/lang/ $(PROD_HOST):$(DEPLOY_DIR)/lang/
	ssh $(PROD_HOST) "$(DEPLOY_DIR)/start.sh"
	@echo ""
	ssh $(PROD_HOST) "$(DEPLOY_DIR)/status.sh"

# Sync templates/static/lang without restart
sync:
	rsync -av --delete portal/templates/ $(DEPLOY_DIR)/templates/
	rsync -av portal/static/ $(DEPLOY_DIR)/static/
	rsync -av portal/lang/ $(DEPLOY_DIR)/lang/

# Clean build artifacts
clean:
	rm -rf $(BINDIR)

# Show what's built
list:
	@ls -la $(BINDIR)/ 2>/dev/null || echo "No binaries yet. Run: make all"

# Verify FIPS status
fips-check:
	@echo "FIPS 140-3 Build Status:"
	@for bin in $(BINDIR)/*; do \
		if [ -f "$$bin" ]; then \
			FIPS_INFO=$$(go version -m "$$bin" 2>/dev/null | grep GOFIPS140); \
			NAME=$$(basename "$$bin"); \
			if [ -n "$$FIPS_INFO" ]; then \
				echo "  $$NAME: ✓"; \
			else \
				echo "  $$NAME: ✗ NOT FIPS"; \
			fi \
		fi \
	done

# Help
help:
	@echo "Inou Build System (FIPS 140-3 Compliant)"
	@echo ""
	@echo "Usage:"
	@echo "  make deploy        - Build & deploy to STAGING (192.168.1.253)"
	@echo "  make deploy-prod   - Build & deploy to PRODUCTION (192.168.100.2)"
	@echo "  make all           - Build all binaries"
	@echo "  make sync          - Sync templates/static/lang (no restart)"
	@echo "  make check-db      - Verify no direct DB access (runs auto on deploy)"
	@echo "  make test          - Run integration tests (services must be running)"
	@echo "  make test-rbac     - Run RBAC permission tests (API must be running)"
	@echo "  make import-genome - Build genome import tool"
	@echo "  make import-dicom  - Build DICOM import tool"
	@echo "  make tools         - Build debug tools (decrypt)"
	@echo "  make decrypt       - Build decrypt tool only"
	@echo "  make clean         - Remove build artifacts"
	@echo "  make fips-check    - Verify FIPS compliance"
	@echo "  make list          - Show built binaries"