#!/bin/sh
# Stage the prebuilt `zot` agent binary + credentials into an image root.
#
# zot is the agent-harness consolidation target (one static Go binary). It has no
# FreeBSD release, so build it on the host first and point ZOT_ARTIFACT_DIR here:
#   (cd ../zot && git checkout "$ZOT_VERSION" \
#       && ZOT_BUILD_VERSION="${ZOT_VERSION:-v0.2.42}" \
#       && VERSION="${ZOT_BUILD_VERSION#v}" make build)
#
# Credentials: zot resolves provider keys as --api-key -> provider env var ->
# $ZOT_HOME/auth.json. This stages auth.json (DeepSeek) under the operator's
# default ZOT_HOME (~/.local/state/zot). The Telegram token is configured
# separately at runtime via `zot telegram-bot setup` (it lives in zot state).
#
# Usage:
#   ZOT_ARTIFACT_DIR=/path/to/bin scripts/stage-zot-iso.sh /path/to/image-root

set -eu

if [ "${1:-}" = "" ]; then
    echo "usage: $0 DESTDIR" >&2
    exit 64
fi

DESTDIR=$1
ZOT_ARTIFACT_DIR=${ZOT_ARTIFACT_DIR:?set ZOT_ARTIFACT_DIR to the dir holding the built zot binary}
ZOT_OPERATOR=${ZOT_OPERATOR:-clawdie}
ZOT_DEEPSEEK_KEY=${ZOT_DEEPSEEK_KEY:-}

BIN_SRC="${ZOT_ARTIFACT_DIR}/zot"
BIN_DIR="${DESTDIR}/usr/local/bin"
# zot's default ZOT_HOME on FreeBSD is ~/.local/state/zot
ZOT_HOME_REL=".local/state/zot"
OP_HOME="${DESTDIR}/home/${ZOT_OPERATOR}"
ZOT_HOME="${OP_HOME}/${ZOT_HOME_REL}"

if [ ! -x "${BIN_SRC}" ]; then
    echo "missing executable zot artifact: ${BIN_SRC}" >&2
    echo "hint: (cd \$ZOT_REPO && ZOT_BUILD_VERSION=\"\${ZOT_VERSION:-v0.2.42}\" && VERSION=\"\${ZOT_BUILD_VERSION#v}\" make build)" >&2
    exit 66
fi

mkdir -p "${BIN_DIR}" "${ZOT_HOME}"
install -m 0555 "${BIN_SRC}" "${BIN_DIR}/zot"

# auth.json: bake the DeepSeek key if provided (0600), else leave a template.
if [ -n "${ZOT_DEEPSEEK_KEY}" ]; then
    umask 077
    cat > "${ZOT_HOME}/auth.json" <<EOF
{
  "deepseek": { "api_key": "${ZOT_DEEPSEEK_KEY}" }
}
EOF
    chmod 0600 "${ZOT_HOME}/auth.json"
    _cred_note="auth.json baked with DeepSeek key (0600)"
else
    cat > "${ZOT_HOME}/auth.json.sample" <<'EOF'
{
  "deepseek": { "api_key": "sk-REPLACE-ME" }
}
EOF
    _cred_note="auth.json.sample staged (operator copies to auth.json, chmod 0600)"
fi

cat > "${ZOT_HOME}/README.iso" <<EOF
zot agent — ISO staging notes
=============================

Binary: /usr/local/bin/zot  (pinned build; FreeBSD-native, no release tarball)
State (ZOT_HOME): ~/.local/state/zot  (config.json, auth.json, sessions/, logs/)

Credentials (zot order: --api-key -> provider env -> auth.json):
  - ${_cred_note}
  - or export DEEPSEEK_API_KEY at runtime.

Telegram bridge (token stored in zot state, not auth.json):
  zot telegram-bot setup     # paste BotFather token
  zot telegram-bot start

Supervision contract for Colibri glasspane:
  zot --json "..."           # newline-delimited json events
  zot rpc                    # json-rpc loop
EOF

cat <<EOF
Staged zot into ${DESTDIR}
  binary : ${BIN_DIR}/zot   (from ${BIN_SRC})
  state  : home/${ZOT_OPERATOR}/${ZOT_HOME_REL}
  creds  : ${_cred_note}
EOF