#!/bin/sh
# Threat Intel API - Publish IOCs to chain
# POST: Triggers collection and publishing of local IOCs

echo "Content-Type: application/json"
echo "Access-Control-Allow-Origin: *"
echo "Access-Control-Allow-Methods: POST, OPTIONS"
echo "Access-Control-Allow-Headers: Content-Type"
echo ""

# Handle CORS preflight
if [ "$REQUEST_METHOD" = "OPTIONS" ]; then
	exit 0
fi

if [ "$REQUEST_METHOD" != "POST" ]; then
	echo '{"success":false,"error":"method_not_allowed","message":"Use POST to trigger publish"}'
	exit 0
fi

. /usr/lib/secubox/threat-intel.sh 2>/dev/null

ti_init

# Collect fresh IOCs then publish
ti_collect_all >/dev/null 2>&1
result=$(ti_publish_iocs 2>/dev/null)

if [ -n "$result" ]; then
	published=$(echo "$result" | jsonfilter -e '@.published' 2>/dev/null || echo "0")
	echo "{\"success\":true,\"published\":$published}"
else
	echo '{"success":true,"published":0}'
fi
