studio/services/bot/Makefile

# Tinqs Team Tool — macOS Build System
# Usage:
#   make build-go       — compile darwin/arm64 Go binary with darwin_app build tag
#   make build-swift    — compile Swift .app via xcodebuild
#   make bundle         — assemble full .app bundle (copies Go binary into MacOS/)
#   make codesign       — sign Go binary then .app (requires SIGNING_IDENTITY env var)
#   make all            — build-go + build-swift + bundle
#
# Required env vars for codesign target:
#   SIGNING_IDENTITY    — e.g. "Developer ID Application: Tinqs Ltd (TEAMID)"

REPO_ROOT      := $(shell pwd)
CLI_DIR        := $(REPO_ROOT)/cli/transcribe
MACOS_DIR      := $(REPO_ROOT)/macos/TinqsTeamTool
SCHEME         := TinqsTeamTool
CONFIGURATION  := Release
BUILD_DIR      := $(MACOS_DIR)/build

# Go binary output path (intermediate — inside build/ before bundling)
GO_BIN_NAME    := tinqs-transcribe
GO_BIN_OUT     := $(BUILD_DIR)/$(GO_BIN_NAME)

# .app bundle path produced by xcodebuild
APP_BUNDLE     := $(BUILD_DIR)/$(CONFIGURATION)/$(SCHEME).app
APP_MACOS      := $(APP_BUNDLE)/Contents/MacOS

.PHONY: all build-go build-swift bundle codesign clean zip notarize upload-release release release-unsigned

all: build-go build-swift bundle

## build-go: Compile the Go binary for darwin/arm64 with darwin_app build tag.
## The darwin_app tag activates the no-op openWindow stub (window_other.go with
## build constraint !windows && !darwin_app) so the binary does not attempt to
## open a browser when launched as a subprocess by the Swift shell.
## CGO_ENABLED=0 ensures a pure static binary with no Xcode toolchain dependency
## for the Go build step.
build-go:
	@echo "==> Building Go binary (darwin/arm64, darwin_app tag)..."
	@mkdir -p $(BUILD_DIR)
	cd $(REPO_ROOT)/cli && CGO_ENABLED=0 GOOS=darwin GOARCH=arm64 \
	  go build -tags darwin_app \
	  -o $(GO_BIN_OUT) \
	  ./transcribe/
	@echo "    Output: $(GO_BIN_OUT)"

## build-swift: Compile the Swift .app via xcodebuild.
## Produces the .app bundle at build/Release/TinqsTeamTool.app.
## Swift source files are added in Plans 03 and 04; this target is a no-op
## until at least one .swift file exists in the target.
build-swift:
	@echo "==> Building Swift app (xcodebuild)..."
	xcodebuild \
	  -project $(MACOS_DIR)/TinqsTeamTool.xcodeproj \
	  -scheme $(SCHEME) \
	  -configuration $(CONFIGURATION) \
	  -derivedDataPath $(BUILD_DIR)/DerivedData \
	  CONFIGURATION_BUILD_DIR=$(BUILD_DIR)/$(CONFIGURATION) \
	  build
	@echo "    Output: $(APP_BUNDLE)"

## bundle: Copy the Go binary into the .app bundle's MacOS/ directory.
## Must run AFTER build-go and build-swift.
## The Go binary lands at TinqsTeamTool.app/Contents/MacOS/tinqs-transcribe
## where Bundle.main.url(forAuxiliaryExecutable:) will find it.
bundle:
	@echo "==> Bundling Go binary into .app..."
	@if [ ! -f "$(GO_BIN_OUT)" ]; then \
	  echo "ERROR: Go binary not found. Run: make build-go"; exit 1; \
	fi
	@if [ ! -d "$(APP_BUNDLE)" ]; then \
	  echo "ERROR: .app bundle not found. Run: make build-swift"; exit 1; \
	fi
	cp $(GO_BIN_OUT) $(APP_MACOS)/$(GO_BIN_NAME)
	@echo "    Bundled: $(APP_MACOS)/$(GO_BIN_NAME)"

## codesign: Sign Go binary (Hardened Runtime) then sign the .app bundle.
## Signing order is critical: child executables MUST be signed BEFORE the
## parent bundle (per Pitfall 10 / ARCHITECTURE.md).
## SIGNING_IDENTITY must be set in environment or passed as make variable.
## Example: make codesign SIGNING_IDENTITY="Developer ID Application: Tinqs Ltd (XXXXXXXXXX)"
codesign:
	@if [ -z "$(SIGNING_IDENTITY)" ]; then \
	  echo "ERROR: SIGNING_IDENTITY not set."; \
	  echo "Usage: make codesign SIGNING_IDENTITY=\"Developer ID Application: ...\""; \
	  exit 1; \
	fi
	@echo "==> Step 1/3: Signing Go binary with Hardened Runtime (child-first order)..."
	codesign \
	  --sign "$(SIGNING_IDENTITY)" \
	  --timestamp \
	  --options runtime \
	  --force \
	  $(APP_MACOS)/$(GO_BIN_NAME)
	@echo "==> Step 2/3: Signing .app bundle..."
	codesign \
	  --sign "$(SIGNING_IDENTITY)" \
	  --timestamp \
	  --options runtime \
	  --entitlements $(MACOS_DIR)/TinqsTeamTool/TinqsTeamTool.entitlements \
	  --deep \
	  --force \
	  $(APP_BUNDLE)
	@echo "==> Step 3/3: Verifying signature..."
	codesign --verify --deep --strict --verbose=2 $(APP_BUNDLE)
	spctl --assess --verbose=4 --type exec $(APP_BUNDLE) || \
	  echo "    (spctl may report rejection for dev builds without notarization — expected)"
	@echo "    Signed: $(APP_BUNDLE)"

## clean: Remove all build artifacts.
clean:
	rm -rf $(BUILD_DIR)
	@echo "    Cleaned $(BUILD_DIR)"

# ---------------------------------------------------------------------------
# Distribution targets — CI pipeline
# ---------------------------------------------------------------------------

## VERSION: Extracted from Xcode project MARKETING_VERSION. Override with VERSION=x.y.z.
VERSION ?= $(shell grep 'MARKETING_VERSION' $(MACOS_DIR)/TinqsTeamTool.xcodeproj/project.pbxproj | head -1 | sed 's/.*= //;s/;.*//' | tr -d ' ')
APP_ZIP := $(BUILD_DIR)/$(SCHEME)-$(VERSION).zip

## S3 release path for uploads.
S3_RELEASE_PATH := s3://tinqs-cli-releases/releases/darwin

## zip: Create distributable zip of the signed .app bundle.
## Produces TinqsTeamTool-$(VERSION).zip in BUILD_DIR.
## VERSION defaults to MARKETING_VERSION from pbxproj; override with VERSION=x.y.z.
zip:
	@echo "==> Creating release zip..."
	@if [ ! -d "$(APP_BUNDLE)" ]; then \
	  echo "ERROR: .app not found at $(APP_BUNDLE). Run: make all codesign"; exit 1; \
	fi
	cd $(BUILD_DIR)/$(CONFIGURATION) && zip -r -y $(APP_ZIP) $(SCHEME).app
	@echo "    Output: $(APP_ZIP) ($$(du -h $(APP_ZIP) | cut -f1))"

## notarize: Submit the .app zip to Apple for notarization.
## Requires: APPLE_ID, APPLE_PASSWORD (app-specific password), APPLE_TEAM_ID
## Blocks until notarization completes (typically 2-5 minutes).
notarize:
	@if [ -z "$(APPLE_ID)" ] || [ -z "$(APPLE_PASSWORD)" ] || [ -z "$(APPLE_TEAM_ID)" ]; then \
	  echo "ERROR: APPLE_ID, APPLE_PASSWORD, and APPLE_TEAM_ID must be set"; exit 1; \
	fi
	@echo "==> Submitting for notarization..."
	xcrun notarytool submit $(APP_ZIP) \
	  --apple-id "$(APPLE_ID)" \
	  --password "$(APPLE_PASSWORD)" \
	  --team-id "$(APPLE_TEAM_ID)" \
	  --wait
	@echo "==> Stapling notarization ticket..."
	xcrun stapler staple $(APP_BUNDLE)
	@echo "    Notarized and stapled: $(APP_BUNDLE)"

## upload-release: Upload signed zip and appcast.xml to S3.
## Requires: aws CLI configured, VERSION set.
## Optionally runs scripts/generate-appcast.sh if it exists and SPARKLE_KEY_PATH is set.
upload-release:
	@echo "==> Uploading to S3..."
	aws s3 cp $(APP_ZIP) $(S3_RELEASE_PATH)/$(SCHEME)-$(VERSION).zip
	aws s3 cp $(APP_ZIP) $(S3_RELEASE_PATH)/$(SCHEME)-latest.zip
	@if [ -x "./scripts/generate-appcast.sh" ] && [ -n "$(SPARKLE_KEY_PATH)" ]; then \
	  echo "==> Generating and uploading appcast..."; \
	  ./scripts/generate-appcast.sh $(APP_ZIP) $(VERSION) $(SPARKLE_KEY_PATH) > $(BUILD_DIR)/appcast.xml; \
	  aws s3 cp $(BUILD_DIR)/appcast.xml $(S3_RELEASE_PATH)/appcast.xml --content-type "application/xml"; \
	  echo "    Uploaded: $(S3_RELEASE_PATH)/appcast.xml"; \
	else \
	  echo "    Skipping appcast generation (no scripts/generate-appcast.sh or SPARKLE_KEY_PATH)"; \
	fi
	@echo "    Uploaded: $(S3_RELEASE_PATH)/$(SCHEME)-$(VERSION).zip"
	@echo "    Uploaded: $(S3_RELEASE_PATH)/$(SCHEME)-latest.zip"

## release: Full release pipeline — build, sign, notarize, zip, upload.
## Usage: make release SIGNING_IDENTITY="Developer ID Application: ..." \
##   APPLE_ID=x APPLE_PASSWORD=x APPLE_TEAM_ID=x
release: all codesign zip notarize upload-release
	@echo "==> Release complete: v$(VERSION)"

## release-unsigned: Build and zip without signing/notarization (dev builds).
## The install script will warn about unsigned builds but still install.
release-unsigned: all zip
	@echo "==> Unsigned release: $(APP_ZIP)"
	@echo "    Note: Install script will warn about missing signature"