#!/bin/bash
# postinstall — runs as root after pkgbuild installs payload.
# launchctl errors are tolerated so installs at the loginwindow (no console
# user) succeed; agents load on next login regardless.

set -euo pipefail

chmod 755 /usr/local/lib/runlayer/aiwatch/aiwatch

# Install-window stamp; see runlayer_cli/install_window.py.
mkdir -p /var/db/com.runlayer.aiwatch
chown root:wheel /var/db/com.runlayer.aiwatch
chmod 755 /var/db/com.runlayer.aiwatch
: > /var/db/com.runlayer.aiwatch/.install-time
chown root:wheel /var/db/com.runlayer.aiwatch/.install-time
chmod 644 /var/db/com.runlayer.aiwatch/.install-time

AGENT_PLISTS=(
    /Library/LaunchAgents/com.runlayer.aiwatch.plist
    /Library/LaunchAgents/com.runlayer.aiwatch.enroll.plist
)
AGENT_LABELS=(
    com.runlayer.aiwatch
    com.runlayer.aiwatch.enroll
)
DAEMON_PLISTS=(
    /Library/LaunchDaemons/com.runlayer.aiwatch.bootstrap.plist
)
DAEMON_LABELS=(
    com.runlayer.aiwatch.bootstrap
)

# launchd requires root:wheel ownership for plists in /Library/*.
for plist in "${AGENT_PLISTS[@]}" "${DAEMON_PLISTS[@]}"; do
    chown root:wheel "$plist"
    chmod 644 "$plist"
done

# Bootstrap daemons into system domain (start now + every boot). Idempotent.
for i in "${!DAEMON_LABELS[@]}"; do
    launchctl bootout "system/${DAEMON_LABELS[$i]}" 2>/dev/null || true
    launchctl bootstrap system "${DAEMON_PLISTS[$i]}" 2>/dev/null || true
done

# Bootstrap agents into the console user's GUI domain. No-op at loginwindow.
CONSOLE_UID=$(stat -f %u /dev/console 2>/dev/null || echo "")
if [ -n "$CONSOLE_UID" ] && [ "$CONSOLE_UID" != "0" ]; then
    for i in "${!AGENT_LABELS[@]}"; do
        launchctl bootout "gui/${CONSOLE_UID}/${AGENT_LABELS[$i]}" 2>/dev/null || true
        launchctl bootstrap "gui/${CONSOLE_UID}" "${AGENT_PLISTS[$i]}" 2>/dev/null || true
    done
fi

exit 0
