#!/usr/bin/env bash
# Build, deploy, and fix permissions on the damocles-lab state tree.
# Run from the damocles-daemon repo root (or anywhere - resolves paths absolutely).

set -euo pipefail

REPO="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
TARGET=/persist/damocles-lab
STATE="$TARGET/state"

echo "==> checking for running daemon in lab"
if RUNNING=$(~/lab.sh "pgrep -af damocles-daemon" 2>/dev/null); then
    echo "ERROR: daemon is running in lab - won't overwrite live binary." >&2
    echo "$RUNNING" >&2
    echo "Stop it first: ~/lab.sh \"pkill damocles-daemon\"" >&2
    exit 1
fi

echo "==> building"
cd "$REPO"
nix develop --command cargo build --bin damocles-daemon --bin damocles-mcp 2>&1 | tail -3

echo "==> deploying binaries to $TARGET"
for bin in damocles-daemon damocles-mcp; do
    cp "$REPO/target/debug/$bin" "$TARGET/$bin.new"
    chown muede:users "$TARGET/$bin.new"
    mv "$TARGET/$bin.new" "$TARGET/$bin"
done
ls -la "$TARGET/damocles-daemon" "$TARGET/damocles-mcp"

echo "==> fixing state tree ownership (muede:users)"
# Anything touched by full-Damocles from the (root-running) damocles container
# ends up root-owned and unwritable by the daemon. Bulk-fix every time we deploy.
chown -R muede:users "$STATE"

# SYSTEM.md ships from the repo and is the harness contract. Replacing on
# every deploy guarantees it matches the binary's actual capabilities (no
# stale references to tools that aren't enabled). Locked root:root 644 so
# the daemon (running as muede) can read but not edit it.
echo "==> shipping SYSTEM.md from repo"
install -m 644 -o root -g root "$REPO/prompts/SYSTEM.md" "$STATE/identity/SYSTEM.md"

# Append pending CHANGELOG entries (new tool announcements etc.) to the live
# CHANGELOG.md and then clear the pending file. This guarantees the shard
# only sees announcements AFTER the binary supporting them is deployed.
PENDING="$REPO/prompts/pending_changelog.md"
LIVE="$STATE/CHANGELOG.md"
# Extract everything after the closing --> of the header comment, trim
# whitespace. If there's anything left, we have actual entries to append.
PENDING_BODY=$(awk '/^-->$/{p=1; next} p' "$PENDING" | sed -e 's/^[[:space:]]*$//' | grep -v '^$' || true)
if [ -n "$PENDING_BODY" ]; then
    echo "==> appending pending CHANGELOG entries"
    {
        echo
        awk '/^-->$/{p=1; next} p' "$PENDING"
    } >> "$LIVE"
    chown muede:users "$LIVE"
    # reset the pending file to just the header comment
    cat > "$PENDING" <<'EOF'
<!--
Pending CHANGELOG entries. Edit this file to queue announcements to the shard
about new capabilities/behavior shipped in the next deploy. The deploy script
appends this content to /persist/damocles-lab/state/CHANGELOG.md and clears
this file. That way CHANGELOG entries can never reference tools that aren't
actually in the deployed binary yet.

Format: same as live CHANGELOG entries - heading + body, ending with a
"Capability addition:" line for the shard to lift into notes.md.
-->
EOF
fi

echo "    state tree fixed"

echo "==> done. restart daemon to pick up new binary:"
echo "    ~/lab.sh \"cd /workspace && RUST_LOG=info ./damocles-daemon\""