# vault1984 — build pipeline
# FIPS 140-3: BoringCrypto via GOEXPERIMENT=boringcrypto
# Requires Go 1.24+ (verified: go1.24.0)
#
# Usage:
#   make deploy           — build + test + restart everything
#   make deploy-app       — build + test + restart app only
#   make deploy-web       — build + restart website only
#   make status           — check what's running

GOEXPERIMENT := boringcrypto
export GOEXPERIMENT

APP_DIR     := app
WEB_DIR     := website
APP_BIN     := $(APP_DIR)/vault1984
WEB_BIN     := $(WEB_DIR)/vault1984-web
APP_ENTRY   := ./cmd/vault1984
WEB_ENTRY   := .

LDFLAGS     := -s -w
GOFLAGS     := -trimpath

.PHONY: all app website test clean deploy deploy-app deploy-web \
        restart restart-app restart-web stop stop-app stop-web status verify-fips

# --- build ---

all: app website

app:
	cd $(APP_DIR) && go build $(GOFLAGS) -ldflags '$(LDFLAGS)' -o vault1984 $(APP_ENTRY)
	@echo "built $(APP_BIN) (FIPS)"

website:
	cd $(WEB_DIR) && go build $(GOFLAGS) -ldflags '$(LDFLAGS)' -o vault1984-web $(WEB_ENTRY)
	@echo "built $(WEB_BIN) (FIPS)"

# --- test ---

test:
	cd $(APP_DIR) && go test ./api/... -v

# --- deploy ---

deploy: all test verify-fips restart
	@echo "--- deployed ---"

deploy-app: app test verify-fips-app restart-app
	@echo "--- app deployed ---"

deploy-web: website verify-fips-web restart-web
	@echo "--- website deployed ---"

# --- verify ---

verify-fips: verify-fips-app verify-fips-web

verify-fips-app:
	@go version -m $(APP_BIN) | grep -q 'GOEXPERIMENT=boringcrypto' && echo "app: FIPS 140-3 (BoringCrypto) ✓" || { echo "app: BoringCrypto NOT linked ✗"; exit 1; }

verify-fips-web:
	@go version -m $(WEB_BIN) | grep -q 'GOEXPERIMENT=boringcrypto' && echo "web: FIPS 140-3 (BoringCrypto) ✓" || { echo "web: BoringCrypto NOT linked ✗"; exit 1; }

# --- process management ---

stop-app:
	@pkill -f './vault1984$$' 2>/dev/null || pkill -f 'vault1984/vault1984$$' 2>/dev/null || true
	@sleep 0.5

stop-web:
	@pkill -f 'vault1984-web$$' 2>/dev/null || true
	@sleep 0.5

stop: stop-app stop-web

restart-app: stop-app
	cd $(APP_DIR) && set -a && . ./.env && set +a && nohup ./vault1984 > /tmp/vault1984.log 2>&1 &
	@sleep 1
	@ss -tlnp | grep -q ':1984' && echo "app running on :1984 ✓" || { echo "app failed to start ✗"; cat /tmp/vault1984.log; exit 1; }

restart-web: stop-web
	cd $(WEB_DIR) && nohup ./vault1984-web > /tmp/vault1984-web.log 2>&1 &
	@sleep 1
	@ss -tlnp | grep -q ':8099' && echo "website running on :8099 ✓" || { echo "website failed to start ✗"; cat /tmp/vault1984-web.log; exit 1; }

restart: restart-app restart-web

status:
	@echo "--- processes ---"
	@ps aux | grep -E 'vault1984(-web)?$$' | grep -v grep || echo "nothing running"
	@echo "--- ports ---"
	@ss -tlnp | grep -E ':1984|:8099' || echo "no ports open"
	@echo "--- fips ---"
	@go version -m $(APP_BIN) 2>/dev/null | grep -q 'GOEXPERIMENT=boringcrypto' && echo "app: FIPS ✓" || echo "app: not built or no FIPS"
	@go version -m $(WEB_BIN) 2>/dev/null | grep -q 'GOEXPERIMENT=boringcrypto' && echo "web: FIPS ✓" || echo "web: not built or no FIPS"

# --- logs ---

logs-app:
	@tail -f /tmp/vault1984.log

logs-web:
	@tail -f /tmp/vault1984-web.log

# --- clean ---

clean:
	rm -f $(APP_BIN) $(WEB_BIN)