#!/usr/bin/env bash
# Test native Cosign verification for aqua packages.
# Covers both checksum-level cosign and top-level binary cosign.

set -euo pipefail

export MISE_EXPERIMENTAL=1
export MISE_AQUA_COSIGN=true
export MISE_AQUA_SLSA=false
export MISE_AQUA_GITHUB_ATTESTATIONS=false

echo "=== Testing Native Cosign Verification (checksum-level) ==="

# Test: Install fork-cleaner which has cosign bundle verification configured
echo "Installing fork-cleaner with native Cosign verification..."

# Capture the installation output to verify the native verification is being used
output=$(mise install aqua:caarlos0/fork-cleaner@2.4.0 2>&1)
echo "$output"

# Verify the native Cosign verification was used
if echo "$output" | grep -q "Cosign"; then
  echo "✅ Native Cosign verification was used"
else
  echo "❌ ERROR: Cosign verification message not found in output"
  echo "Output was:"
  echo "$output"
  exit 1
fi

# Verify the tool works
assert_contains "mise x aqua:caarlos0/fork-cleaner@2.4.0 -- fork-cleaner --version" "2.4.0"
echo "✓ fork-cleaner installed and working correctly"

echo "=== Testing Native Cosign Verification (top-level binary config) ==="
echo "Installing envsense with top-level binary Cosign verification..."

output=$(mise install aqua:technicalpickles/envsense@0.3.4 2>&1)
echo "$output"

if echo "$output" | grep -q "Cosign verified" && ! echo "$output" | grep -q "verify checksums with cosign"; then
  echo "✅ Native top-level binary Cosign verification was used"
else
  echo "❌ ERROR: top-level binary Cosign verification was not detected in output"
  echo "Output was:"
  echo "$output"
  exit 1
fi

assert_contains "mise x aqua:technicalpickles/envsense@0.3.4 -- which envsense" "envsense"
echo "✓ envsense installed and working correctly"

echo ""
echo "=== Native Cosign Verification Test Passed ✓ ==="
