#!/usr/bin/env bash
# Generate a Software Bill of Materials for the Stundenplan stack.
#
# Per Open-Source-Policy (.claude/rules/open-source-policy.md) we need a
# license inventory for every shipped artifact. This script collects all
# three flavours into sbom/stundenplan/ as JSON/CSV/Markdown.
#
# Usage:  bash scripts/stundenplan-sbom.sh
#
# Tools required (skipped with warning if missing):
#   - go-licenses (Go)            go install github.com/google/go-licenses@latest
#   - pip-licenses (Python)       pip install pip-licenses
#   - license-checker (Node)      already in studio-v2/node_modules
set -euo pipefail

ROOT="$(cd "$(dirname "$0")/.." && pwd)"
OUT="$ROOT/sbom/stundenplan"
mkdir -p "$OUT"

# --------- Go: school-service ---------
echo "==> school-service (Go)"
if command -v go-licenses >/dev/null 2>&1; then
  ( cd "$ROOT/school-service" \
    && go-licenses csv ./... > "$OUT/school-service-licenses.csv" 2> "$OUT/school-service-warnings.log" \
    || echo "  go-licenses returned non-zero (see warnings.log)" )
else
  echo "  skipped — install with: go install github.com/google/go-licenses@latest"
fi

# --------- Python: timetable-solver-service ---------
echo "==> timetable-solver-service (Python)"
if [[ -d "$ROOT/timetable-solver-service" ]]; then
  if command -v pip-licenses >/dev/null 2>&1; then
    # Resolve against the requirements.txt the Dockerfile installs.
    pip install --quiet --no-deps -r "$ROOT/timetable-solver-service/requirements.txt" \
      --target "$OUT/.python-tmp" 2>/dev/null || true
    PYTHONPATH="$OUT/.python-tmp" pip-licenses --format=json \
      > "$OUT/timetable-solver-licenses.json" 2> "$OUT/timetable-solver-warnings.log" \
      || echo "  pip-licenses returned non-zero"
    rm -rf "$OUT/.python-tmp"
  else
    echo "  skipped — install with: pip install pip-licenses"
  fi
fi

# --------- Node: studio-v2 (subset that ships in the bundle) ---------
echo "==> studio-v2 (Node)"
if [[ -d "$ROOT/studio-v2/node_modules" ]]; then
  ( cd "$ROOT/studio-v2" \
    && ./node_modules/.bin/license-checker --json --production \
       > "$OUT/studio-v2-licenses.json" 2> "$OUT/studio-v2-warnings.log" \
    || echo "  license-checker returned non-zero" )
else
  echo "  studio-v2/node_modules missing — run npm install first"
fi

# --------- Summary ---------
echo
echo "SBOM written to $OUT"
ls -la "$OUT"