# 09-Setup-CMM.ps1 - CMM type setup (runs during shopfloor-setup phase).
#
# At imaging time the tsgwp00525 SFLD share is NOT yet reachable - Azure DSC
# has not provisioned the share credentials that early. So we install from a
# WinPE-staged local copy at C:\CMM-Install (put there by startnet.cmd when
# the tech picks pc-type=CMM), then register a logon-triggered scheduled
# task that runs CMM-Enforce.ps1 for ongoing updates from the share.
#
# Sequence:
#   1. Enable .NET Framework 3.5 (PC-DMIS 2016 prereq on Win10/11 where 3.5
#      is an off-by-default optional feature).
#   2. Run Install-FromManifest against C:\CMM-Install\cmm-manifest.json.
#   3. Stage Install-FromManifest.ps1 + CMM-Enforce.ps1 + the manifest to
#      C:\Program Files\GE\CMM so the scheduled task has them after imaging.
#   4. Register a SYSTEM scheduled task "GE CMM Enforce" that runs
#      CMM-Enforce.ps1 on any user logon.
#   5. Delete C:\CMM-Install to reclaim the ~2 GB of bootstrap installers.
#      The share-side enforcer takes over from here.
#
# Log: C:\Logs\CMM\09-Setup-CMM.log (stdout from this script) plus the
# install-time log at C:\Logs\CMM\install.log written by Install-FromManifest.

$ErrorActionPreference = 'Continue'

$stagingRoot    = 'C:\CMM-Install'
$stagingMani    = Join-Path $stagingRoot 'cmm-manifest.json'
$libSource      = Join-Path $PSScriptRoot 'lib\Install-FromManifest.ps1'
$enforceSource  = Join-Path $PSScriptRoot 'CMM-Enforce.ps1'

$runtimeRoot    = 'C:\Program Files\GE\CMM'
$runtimeLibDir  = Join-Path $runtimeRoot 'lib'
$runtimeLib     = Join-Path $runtimeLibDir 'Install-FromManifest.ps1'
$runtimeEnforce = Join-Path $runtimeRoot 'CMM-Enforce.ps1'

$logDir        = 'C:\Logs\CMM'
$logFile       = Join-Path $logDir 'install.log'
$transcriptLog = Join-Path $logDir '09-Setup-CMM.log'

if (-not (Test-Path $logDir)) {
    New-Item -Path $logDir -ItemType Directory -Force | Out-Null
}

# Independent transcript in addition to whatever Run-ShopfloorSetup.ps1 is
# capturing at the top level. Lets a tech open C:\Logs\CMM\09-Setup-CMM.log
# and see the entire CMM-type setup run without scrolling through the
# monolithic shopfloor-setup.log.
try { Start-Transcript -Path $transcriptLog -Append -Force | Out-Null } catch {}

function Write-CMMLog {
    param([string]$Message, [string]$Level = 'INFO')
    $stamp = Get-Date -Format "yyyy-MM-dd HH:mm:ss"
    Write-Host "[$stamp] [$Level] $Message"
}

Write-CMMLog "================================================================"
Write-CMMLog "=== CMM Setup (imaging-time) session start (PID $PID) ==="
Write-CMMLog "Running as: $([System.Security.Principal.WindowsIdentity]::GetCurrent().Name)"
Write-CMMLog "================================================================"

# Diagnostic dump - knowing WHY the script took a branch is half the battle.
Write-CMMLog "Script root: $PSScriptRoot"
foreach ($file in @('pc-type.txt','pc-subtype.txt','machine-number.txt')) {
    $path = "C:\Enrollment\$file"
    if (Test-Path -LiteralPath $path) {
        $content = (Get-Content -LiteralPath $path -First 1 -ErrorAction SilentlyContinue).Trim()
        Write-CMMLog "  $file = $content"
    } else {
        Write-CMMLog "  $file = (not present)"
    }
}
if (Test-Path $stagingRoot) {
    $bootstrapFiles = @(Get-ChildItem -LiteralPath $stagingRoot -File -ErrorAction SilentlyContinue)
    Write-CMMLog "Bootstrap staging: $stagingRoot ($($bootstrapFiles.Count) files)"
    foreach ($f in $bootstrapFiles) {
        Write-CMMLog "  - $($f.Name) ($([math]::Round($f.Length/1MB)) MB)"
    }
} else {
    Write-CMMLog "Bootstrap staging: $stagingRoot (DOES NOT EXIST - startnet.cmd did not stage it)" "ERROR"
}

# ============================================================================
# Step 1: Enable .NET Framework 3.5
# ============================================================================
# PC-DMIS 2016 lists .NET 3.5 as a prereq for some older components. On Win10/
# Win11 it's an optional Windows feature that is OFF by default. Enable-
# WindowsOptionalFeature pulls the payload from Windows Update when the PC
# has internet; sources from the installed Windows image otherwise. Idempotent
# (no-op if already enabled). We swallow failures because if internet and
# media are both unavailable this becomes a known gap rather than an imaging
# blocker - we'd still rather try to install PC-DMIS and surface the real
# failure in its log.
Write-CMMLog "Checking .NET Framework 3.5 state..."
try {
    $netfx = Get-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -ErrorAction Stop
    if ($netfx.State -eq 'Enabled') {
        Write-CMMLog "  .NET 3.5 already enabled"
    } else {
        Write-CMMLog "  .NET 3.5 state is $($netfx.State) - enabling now (may take a minute)..."
        $result = Enable-WindowsOptionalFeature -Online -FeatureName 'NetFx3' -All -NoRestart -ErrorAction Stop
        Write-CMMLog "  Enable-WindowsOptionalFeature RestartNeeded=$($result.RestartNeeded)"
    }
} catch {
    Write-CMMLog "  Failed to enable .NET 3.5: $_" "WARN"
    Write-CMMLog "  Continuing anyway - PC-DMIS installers will surface any hard dependency."
}

# ============================================================================
# Step 2: Install apps from the WinPE-staged bootstrap at C:\CMM-Install
# ============================================================================
if (-not (Test-Path $stagingRoot)) {
    Write-CMMLog "$stagingRoot does not exist - startnet.cmd did not stage CMM installers" "ERROR"
    Write-CMMLog "Skipping install. The logon enforcer will pick up from the share when SFLD creds are available."
}
elseif (-not (Test-Path $stagingMani)) {
    Write-CMMLog "$stagingMani missing - staging directory is incomplete" "ERROR"
}
elseif (-not (Test-Path $libSource)) {
    Write-CMMLog "Shared library not found at $libSource" "ERROR"
}
else {
    Write-CMMLog "Running Install-FromManifest against $stagingRoot"
    & $libSource -ManifestPath $stagingMani -InstallerRoot $stagingRoot -LogFile $logFile
    $rc = $LASTEXITCODE
    Write-CMMLog "Install-FromManifest returned $rc"
}

# ============================================================================
# Step 3: Stage runtime scripts to C:\Program Files\GE\CMM
# ============================================================================
# These files survive past the bootstrap cleanup so the logon-triggered
# scheduled task can run them. The manifest is staged as well so the enforcer
# has a fallback in case the share copy is unreachable on first logon.
Write-CMMLog "Staging runtime scripts to $runtimeRoot"
foreach ($dir in @($runtimeRoot, $runtimeLibDir)) {
    if (-not (Test-Path $dir)) {
        New-Item -Path $dir -ItemType Directory -Force | Out-Null
    }
}
Copy-Item -Path $libSource     -Destination $runtimeLib     -Force
Copy-Item -Path $enforceSource -Destination $runtimeEnforce -Force

# ============================================================================
# Step 4: Register "GE CMM Enforce" scheduled task (logon trigger, SYSTEM)
# ============================================================================
$taskName = 'GE CMM Enforce'

# Drop any stale version first so re-imaging is idempotent.
$existing = Get-ScheduledTask -TaskName $taskName -ErrorAction SilentlyContinue
if ($existing) {
    Write-CMMLog "Removing existing scheduled task '$taskName'"
    Unregister-ScheduledTask -TaskName $taskName -Confirm:$false -ErrorAction SilentlyContinue
}

Write-CMMLog "Registering scheduled task '$taskName' (logon trigger, SYSTEM)"
try {
    $action    = New-ScheduledTaskAction `
        -Execute 'powershell.exe' `
        -Argument "-NoProfile -ExecutionPolicy Bypass -File `"$runtimeEnforce`""

    $trigger   = New-ScheduledTaskTrigger -AtLogOn
    $principal = New-ScheduledTaskPrincipal -UserId 'SYSTEM' -LogonType ServiceAccount -RunLevel Highest
    $settings  = New-ScheduledTaskSettingsSet `
        -AllowStartIfOnBatteries `
        -DontStopIfGoingOnBatteries `
        -StartWhenAvailable `
        -ExecutionTimeLimit (New-TimeSpan -Hours 2) `
        -MultipleInstances IgnoreNew

    Register-ScheduledTask `
        -TaskName $taskName `
        -Action $action `
        -Trigger $trigger `
        -Principal $principal `
        -Settings $settings `
        -Description 'GE CMM: enforce Hexagon apps against tsgwp00525 SFLD share on user logon' | Out-Null

    Write-CMMLog "Scheduled task registered"
} catch {
    Write-CMMLog "Failed to register scheduled task: $_" "ERROR"
}

# ============================================================================
# Step 5: Clean up the bootstrap staging dir
# ============================================================================
# ~2 GB reclaimed. From here on, CMM-Enforce.ps1 runs against the tsgwp00525
# share, which is the canonical source for ongoing updates.
if (Test-Path $stagingRoot) {
    Write-CMMLog "Deleting bootstrap staging at $stagingRoot"
    try {
        Remove-Item -LiteralPath $stagingRoot -Recurse -Force -ErrorAction Stop
        Write-CMMLog "Bootstrap cleanup complete"
    } catch {
        Write-CMMLog "Failed to delete $stagingRoot : $_" "WARN"
    }
}

Write-CMMLog "=== CMM Setup Complete ==="
try { Stop-Transcript | Out-Null } catch {}