#!/bin/bash

## Copyright (C) 2026 - 2026 ENCRYPTED SUPPORT LLC <adrelanos@whonix.org>
## See the file COPYING for copying conditions.

## AI-Assisted

## Project-policy wrapper around `github-org-fork`.
## Mirrors Kicksecure and Whonix into the org-ai-assisted GitHub org.

set -o errexit
set -o nounset
set -o pipefail
set -o errtrace
shopt -s inherit_errexit
shopt -s shift_verbose

## R-082: source every helper-scripts file used directly.
# shellcheck source=../../../helper-scripts/usr/libexec/helper-scripts/log_run_die.sh
source "${HELPER_SCRIPTS_PATH:-}"/usr/libexec/helper-scripts/log_run_die.sh
# shellcheck source=../../../helper-scripts/usr/libexec/helper-scripts/has.sh
source "${HELPER_SCRIPTS_PATH:-}"/usr/libexec/helper-scripts/has.sh
## Sourced for its LOG_MAX_LEN default.
# shellcheck source=../libexec/developer-meta-files/github-org-lib.bsh
source /usr/libexec/developer-meta-files/github-org-lib.bsh

readonly MIRROR='org-ai-assisted'

readonly SOURCE_ORGS=( 'Kicksecure' 'Whonix' )

## --include-forks: Kicksecure has ~13 repos that are forks of
## upstream projects. github-org-fork defaults to skipping forks; the
## flag here makes the mirror cover the full Kicksecure surface.
##
## --sync-branches: without this, fork-sync only creates new forks
## and reconfigures existing ones - it does NOT advance branch tips
## when upstream commits land.
readonly POLICY_FLAGS=(
   --include-forks
   --sync-branches
   --disable-issues
   --disable-wiki
   --disable-projects
   --actions enable
   --workflow-perms read
)

## Whonix and Kicksecure both have '.github' and 'canary'. Kicksecure
## wins those two names; skip the Whonix ones.
declare -g -A SOURCE_EXCLUDE_RE=(
   ['Whonix']='^(\.github|canary)$'
)

show_help() {
   cat <<'EOF'
Project-policy wrapper around github-org-fork.
Mirrors the Kicksecure and Whonix orgs into the org-ai-assisted org
with the settings the project requires:

  - private source repos skipped
  - issues, wiki, projects disabled on each mirror
  - GitHub Actions enabled on each mirror (so Claude Code can read
    CI logs from the mirror)

Usage (one mode flag is required - no implicit default):
  dm-github-fork-sync --apply     ## sync all source orgs into the mirror
  dm-github-fork-sync --dry-run   ## report planned actions only
  dm-github-fork-sync --help

All extra flags are forwarded to github-org-fork.

Auth: ${GITHUB_TOKEN} env var, or ~/.config/github-token with
permissions 0600. The token must have admin access to the
org-ai-assisted org so that github-org-fork can create forks under it.
EOF
}

## --debug enables 'set -x' here AND in the spawned github-org-fork.
## Mode (--apply / --dry-run) is required: checking up front lets the
## error message name dm-github-fork-sync rather than the spawned tool.
debug_flag=()
positional_args=()
mode_set=0
for arg in "$@"; do
   case "${arg}" in
      -h|--help)
         show_help
         exit 0
         ;;
      --debug)
         set -x
         debug_flag=( --debug )
         ;;
      --apply|--dry-run)
         [ "${mode_set}" -eq 0 ] || die 64 'conflicting mode flags; specify exactly one of --apply / --dry-run'
         mode_set=1
         positional_args+=( "${arg}" )
         ;;
      *)
         positional_args+=( "${arg}" )
         ;;
   esac
done

[ "${mode_set}" -eq 1 ] \
   || { show_help >&2; die 64 'specify exactly one of --apply / --dry-run'; }

die_if_not_has github-org-fork

for src in "${SOURCE_ORGS[@]}"; do
   per_src_flags=()
   if [ -n "${SOURCE_EXCLUDE_RE[${src}]:-}" ]; then
      per_src_flags+=( --exclude "${SOURCE_EXCLUDE_RE[${src}]}" )
   fi
   log notice "=== ${src} -> ${MIRROR} ==="
   github-org-fork "${debug_flag[@]}" "${POLICY_FLAGS[@]}" "${per_src_flags[@]}" "${positional_args[@]}" -- "${src}" "${MIRROR}"
done
