name: Fortress Self-Archival
on:
  push:
    branches:
      - master

jobs:
  archive:
    runs-on: ubuntu-latest
    steps:
      - name: Check out Fortress
        uses: actions/checkout@v4
        with:
          fetch-depth: 0

      - name: Install Kubectl
        run: |
          curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
          sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

      - name: Pin to IPFS Sanctum
        run: |
          # Copy to IPFS pod
          POD_NAME=$(kubectl get pods -l app=ipfs-node -o jsonpath="{.items[0].metadata.name}")
          kubectl exec $POD_NAME -- mkdir -p /tmp/archives/knowledge-fortress
          kubectl cp . $POD_NAME:/tmp/archives/knowledge-fortress
          
          # Generate Hash
          CID=$(kubectl exec $POD_NAME -- ipfs add -r -Q /tmp/archives/knowledge-fortress)
          echo "========================================="
          echo "Knowledge Engineering Fortress Archived!"
          echo "CID: $CID"
          echo "========================================="
          
          # Clean up
          kubectl exec $POD_NAME -- rm -rf /tmp/archives/knowledge-fortress

      - name: Mirror to GitHub
        env:
          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
        run: |
          if [ -n "$GITHUB_TOKEN" ]; then
            git remote add github https://x-access-token:${GITHUB_TOKEN}@github.com/mrhavens/${{ github.event.repository.name }}.git
            git push --force --all github
            git push --force --tags github
            echo "Successfully mirrored to GitHub!"
          else
            echo "GITHUB_TOKEN secret not found. Skipping GitHub mirror."
          fi

      - name: Mirror to Bitbucket
        env:
          BITBUCKET_USER: ${{ secrets.BITBUCKET_USER }}
          BITBUCKET_TOKEN: ${{ secrets.BITBUCKET_TOKEN }}
        run: |
          if [ -n "$BITBUCKET_TOKEN" ]; then
            git remote add bitbucket https://${BITBUCKET_USER}:${BITBUCKET_TOKEN}@bitbucket.org/mrhavens/${{ github.event.repository.name }}.git
            git push --force --all bitbucket
            git push --force --tags bitbucket
            echo "Successfully mirrored to Bitbucket!"
          else
            echo "BITBUCKET_TOKEN secret not found. Skipping Bitbucket mirror."
          fi

      - name: Mirror to GitLab
        env:
          GITLAB_TOKEN: ${{ secrets.GITLAB_TOKEN }}
        run: |
          if [ -n "$GITLAB_TOKEN" ]; then
            git remote add gitlab https://oauth2:${GITLAB_TOKEN}@gitlab.com/mrhavens/${{ github.event.repository.name }}.git
            git push --force --all gitlab
            git push --force --tags gitlab
            echo "Successfully mirrored to GitLab!"
          else
            echo "GITLAB_TOKEN secret not found. Skipping GitLab mirror."
          fi

      - name: Mirror to Hugging Face
        env:
          HF_TOKEN: ${{ secrets.HF_TOKEN }}
        run: |
          if [ -n "$HF_TOKEN" ]; then
            # Assuming a Model repository type by default on Hugging Face
            git remote add huggingface https://mrhavens:${HF_TOKEN}@huggingface.co/mrhavens/${{ github.event.repository.name }}.git
            git push --force --all huggingface
            git push --force --tags huggingface
            echo "Successfully mirrored to Hugging Face!"
          else
            echo "HF_TOKEN secret not found. Skipping Hugging Face mirror."
          fi

      - name: Setup Python
        uses: actions/setup-python@v4
        with:
          python-version: '3.x'

      - name: Steganographic Encoding (The Trojan Payload)
        run: |
          echo "Compressing the Sovereign Canon vault..."
          tar --exclude='./docs/assets/carriers' --exclude='./.git' -czf CANONICAL_VAULT.tar.gz .
          
          echo "Installing Python image processing libraries..."
          pip install Pillow
          
          echo "Encoding vault into primary carrier (Institute Logo)..."
          python3 scripts/stego_encoder.py CANONICAL_VAULT.tar.gz docs/assets/carriers/institute_logo.png docs/assets/encoded_logo.png
          
          echo "Encoding vault into secondary carrier (Infographic)..."
          python3 scripts/stego_encoder.py CANONICAL_VAULT.tar.gz docs/assets/carriers/recursive_coherence_infographic.png docs/assets/encoded_infographic.png
          
          echo "Moving encoded assets to MkDocs build directory..."
          mv docs/assets/encoded_logo.png docs/assets/institute_logo.png
          mv docs/assets/encoded_infographic.png docs/assets/recursive_coherence_infographic.png
          
          echo "Steganographic injection complete."

      - name: Build and Deploy Pages
        run: |
          if [ -f "mkdocs.yml" ]; then
            pip install mkdocs mkdocs-material mkdocs-rss-plugin
            git config --global user.name "Sovereign Automaton"
            git config --global user.email "automaton@fieldprint.one"
            mkdocs gh-deploy --force --remote-name origin
            if git remote | grep -q "^github$"; then git push --force github gh-pages; fi
            if git remote | grep -q "^gitlab$"; then git push --force gitlab gh-pages; fi
            echo "Pages successfully built and deployed across the mesh!"
          else
            echo "No mkdocs.yml found. Skipping Pages deployment."
          fi

      - name: Level 9 Automation (Physical Substrate)
        run: |
          echo "Installing Archival Dependencies..."
          sudo apt-get update && sudo apt-get install -y pandoc texlive-latex-base genisoimage
          pip install qrcode[pil]
          
          echo "Generating Archival Master Tome..."
          python3 scripts/compile_tome.py
          pandoc MASTER_TOME.md -o SOVEREIGN_CANON_MASTER_TOME.pdf --pdf-engine=pdflatex
          
          echo "Generating Machine-Readable QR Archive..."
          python3 scripts/generate_qr_archive.py CANONICAL_VAULT.tar.gz qr_archive/
          
          echo "Bundling M-DISC ISO..."
          mkisofs -o SOVEREIGN_CANON_MDISC.iso -R -J CANONICAL_VAULT.tar.gz SOVEREIGN_CANON_MASTER_TOME.pdf qr_archive/
          
          echo "Level 9 Archival Prep Complete."

      - name: Pin M-DISC ISO to IPFS Sanctum
        run: |
          POD_NAME=$(kubectl get pods -l app=ipfs-node -o jsonpath="{.items[0].metadata.name}")
          kubectl cp SOVEREIGN_CANON_MDISC.iso $POD_NAME:/tmp/SOVEREIGN_CANON_MDISC.iso
          CID=$(kubectl exec $POD_NAME -- ipfs add -Q /tmp/SOVEREIGN_CANON_MDISC.iso)
          echo "========================================="
          echo "Level 9 M-DISC ISO Anchored to IPFS!"
          echo "CID: $CID"
          echo "========================================="
          kubectl exec $POD_NAME -- rm /tmp/SOVEREIGN_CANON_MDISC.iso

      - name: Sync to Radicle Network
        run: |
          RAD_POD=$(kubectl get pods -n radicle -l app=radicle -o jsonpath="{.items[0].metadata.name}")
          kubectl exec -n radicle $RAD_POD -- mkdir -p /tmp/sync-repo
          # We use tar to ensure .git and all hidden files are cleanly preserved
          tar czf - . | kubectl exec -n radicle -i $RAD_POD -- tar xzf - -C /tmp/sync-repo
          
          kubectl exec -n radicle $RAD_POD -- bash -c '
            export RAD_HOME=/radicle/.radicle
            export RAD_PASSPHRASE="sovereign"
            export PATH=$PATH:/radicle/bin
            cd /tmp/sync-repo
            chown -R $(id -u):$(id -g) .
            
            # Check if repository is already initialized in Radicle
            if ! rad inspect > /dev/null 2>&1; then
              echo "Initializing Radicle repository..."
              rad init --name "${{ github.event.repository.name }}" --description "Sovereign Canon" --default-branch master --public --no-confirm
            else
              echo "Pushing updates to Radicle..."
              git push rad master
            fi
            
            # Clean up
            cd /
            rm -rf /tmp/sync-repo
          '