#!/usr/bin/env bash
set -euo pipefail
source "$(dirname "$0")/../scripts/lib/common.sh"
require_cmd jq

EVID_DIR="${1:?usage: ledger_hash_chain_intact.sh <evidence_dir>}"
TS="$(iso_utc_now)"

FILE="$EVID_DIR/ledger_verify.json"
if [[ ! -f "$FILE" ]]; then
  json_emit "$(jq -n --arg ts "$TS" '{
    version:"1.0.0",
    rule_id:"ledger.hash_chain_intact",
    control_ids:["AU-01","AU-02"],
    passed:false,
    severity:"CRITICAL",
    timestamp:$ts,
    evidence:[{path:"ledger_verify.json"}],
    details:{error:"missing evidence file"}
  }')"
  exit 0
fi

COLLECTED="$(jq -r '.collected // true' "$FILE")"
if [[ "$COLLECTED" != "true" ]]; then
  json_emit "$(jq -n --arg ts "$TS" '{
    version:"1.0.0",
    rule_id:"ledger.hash_chain_intact",
    control_ids:["AU-01","AU-02"],
    passed:false,
    severity:"CRITICAL",
    timestamp:$ts,
    evidence:[{path:"ledger_verify.json"}],
    details:{error:"ledger verify not collected"}
  }')"
  exit 0
fi

OK="$(jq -r '.ok // false' "$FILE")"
ENTRY_COUNT="$(jq -r '.entry_count // 0' "$FILE")"
FAILURES_JSON="$(jq -c '.failures // []' "$FILE")"

if [[ "$OK" == "true" ]]; then
  json_emit "$(jq -n --arg ts "$TS" --argjson count "$ENTRY_COUNT" '{
    version:"1.0.0",
    rule_id:"ledger.hash_chain_intact",
    control_ids:["AU-01","AU-02"],
    passed:true,
    severity:"CRITICAL",
    timestamp:$ts,
    evidence:[{path:"ledger_verify.json"}],
    details:{entries_checked:$count}
  }')"
else
  json_emit "$(jq -n --arg ts "$TS" --argjson count "$ENTRY_COUNT" --argjson failures "$FAILURES_JSON" '{
    version:"1.0.0",
    rule_id:"ledger.hash_chain_intact",
    control_ids:["AU-01","AU-02"],
    passed:false,
    severity:"CRITICAL",
    timestamp:$ts,
    evidence:[{path:"ledger_verify.json"}],
    details:{entries_checked:$count, failures:$failures}
  }')"
fi