#!/usr/bin/env bash
# Build one-folder PyInstaller distribution (see applepy.spec). Requires: pip install -e ".[bundle]"
# By default fetches NIST macos_security + Lynis into applepy/data/ (git + network). Offline:
#   SKIP_VENDOR_COMPLIANCE=1 ./scripts/build_bundle.sh
set -euo pipefail
ROOT="$(cd "$(dirname "$0")/.." && pwd)"
cd "$ROOT"
if [[ -f .venv/bin/activate ]]; then
  # shellcheck source=/dev/null
  source .venv/bin/activate
fi
if [[ "${SKIP_VENDOR_COMPLIANCE:-0}" != "1" ]]; then
  "${ROOT}/scripts/vendor_compliance_assets.sh" all
else
  echo "SKIP_VENDOR_COMPLIANCE=1: skipping scripts/vendor_compliance_assets.sh"
fi
python -m pip install -q -e ".[bundle]"
DIST_OUT="${ROOT}/dist/applepy"
if [[ -e "${DIST_OUT}" ]]; then
  echo "Removing previous bundle: ${DIST_OUT}"
  if ! rm -rf "${DIST_OUT}"; then
    echo "ERROR: Could not remove ${DIST_OUT}." >&2
    echo "This usually means root-owned files under .../macos_security/build from a prior sudo run of the bundle." >&2
    echo "Fix:  sudo rm -rf \"${DIST_OUT}\"" >&2
    echo "Then re-run this script. The spec omits mSCP build/ from the bundle to avoid shipping host output." >&2
    exit 1
  fi
fi
python -m PyInstaller --noconfirm "${ROOT}/applepy.spec"
echo "Output: ${ROOT}/dist/applepy/  →  run: dist/applepy/applepy --help"
echo "Note: build/applepy/ is PyInstaller’s work dir only (no _internal/). Do not run that copy."