#!/usr/bin/env sh
# [D.2] Attesto CLI installer — served at https://get.attesto.eu
#   curl -fsSL https://get.attesto.eu | sh
#   curl -fsSL https://get.attesto.eu | ATTESTO_VERSION=0.3.0 sh
#
# Downloads the binary for this platform plus the SHA256SUMS manifest and
# verifies the checksum BEFORE installing anything. Cosign signature
# verification is added with the signed-release pipeline (P2.4); the commands
# will be documented on docs.attesto.eu alongside the downloads.
set -eu

BASE_URL="${ATTESTO_BASE_URL:-https://get.attesto.eu}"
VERSION="${ATTESTO_VERSION:-latest}"
INSTALL_DIR="${ATTESTO_INSTALL_DIR:-/usr/local/bin}"

os="$(uname -s | tr '[:upper:]' '[:lower:]')"
arch="$(uname -m)"
case "$arch" in
  x86_64|amd64) arch="amd64" ;;
  aarch64|arm64) arch="arm64" ;;
  *) echo "unsupported architecture: $arch" >&2; exit 1 ;;
esac
case "$os" in
  linux|darwin) ;;
  *) echo "unsupported OS: $os (Windows: download attesto_*_windows_amd64.exe from docs.attesto.eu)" >&2; exit 1 ;;
esac

if [ "$VERSION" = "latest" ]; then
  VERSION="$(curl -fsSL "$BASE_URL/latest-version.txt")"
fi
name="attesto_${VERSION}_${os}_${arch}"

tmp="$(mktemp -d)"
trap 'rm -rf "$tmp"' EXIT

echo "downloading $name ..."
curl -fsSL -o "$tmp/$name" "$BASE_URL/$VERSION/$name"
curl -fsSL -o "$tmp/SHA256SUMS" "$BASE_URL/$VERSION/SHA256SUMS"

echo "verifying checksum ..."
(cd "$tmp" && grep " $name\$" SHA256SUMS | sha256sum -c -) || {
  echo "CHECKSUM MISMATCH — refusing to install" >&2
  exit 1
}

chmod +x "$tmp/$name"
if [ -w "$INSTALL_DIR" ]; then
  mv "$tmp/$name" "$INSTALL_DIR/attesto"
else
  echo "(sudo required for $INSTALL_DIR)"
  sudo mv "$tmp/$name" "$INSTALL_DIR/attesto"
fi
echo "installed: $INSTALL_DIR/attesto"
"$INSTALL_DIR/attesto" version 2>/dev/null || true