#!/usr/bin/env bash
# Shallow-clone NIST macos_security and Lynis into applepy/data/ for bundled / PyInstaller builds.
# Preserves applepy/data/{macos_security,lynis}/README.md and .gitignore (excluded from rsync).
set -euo pipefail
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
MACP="${ROOT}/applepy/data/macos_security"
LYNP="${ROOT}/applepy/data/lynis"
TMP="${TMPDIR:-/tmp}/applepy-vendor-$$"
cleanup() { rm -rf "${TMP}"; }
trap cleanup EXIT
mkdir -p "${TMP}"

refresh="${REFRESH:-0}"

clone_mscp() {
  if [[ -f "${MACP}/scripts/generate_guidance.py" ]] && [[ "${refresh}" != "1" ]]; then
    echo "macos_security already present under applepy/data/macos_security (set REFRESH=1 to re-fetch)"
    return 0
  fi
  mkdir -p "${MACP}"
  git clone --depth 1 "https://github.com/usnistgov/macos_security.git" "${TMP}/macos_security"
  rsync -a --delete \
    --exclude README.md --exclude .gitignore --exclude .git \
    "${TMP}/macos_security/" "${MACP}/"
  echo "Vendored macos_security -> ${MACP}"
}

clone_lynis() {
  if [[ -f "${LYNP}/lynis" ]] && [[ "${refresh}" != "1" ]]; then
    echo "Lynis already present under applepy/data/lynis (set REFRESH=1 to re-fetch)"
    return 0
  fi
  mkdir -p "${LYNP}"
  git clone --depth 1 "https://github.com/cisofy/lynis.git" "${TMP}/lynis"
  rsync -a --delete \
    --exclude README.md --exclude .gitignore --exclude .git \
    "${TMP}/lynis/" "${LYNP}/"
  echo "Vendored Lynis -> ${LYNP}"
}

case "${1:-all}" in
  mscp|macos_security) clone_mscp ;;
  lynis) clone_lynis ;;
  all)
    clone_mscp
    clone_lynis
    ;;
  *)
    echo "Usage: $0 [all|mscp|lynis]" >&2
    exit 2
    ;;
esac