#!/bin/sh
set -e

# Infisical runtime bootstrap. Required:
#   INFISICAL_CLIENT_ID      - universal-auth clientId for `architools-prod`
#   INFISICAL_CLIENT_SECRET  - universal-auth clientSecret (bootstrap only)
# Optional:
#   INFISICAL_URL            default https://infisical.beletage.ro
#   INFISICAL_WORKSPACE_ID   default 078c998d-43a9-420c-aec4-712011108410
#   INFISICAL_ENV            default prod
#   INFISICAL_APP_PATH       default /architools

if [ -n "$INFISICAL_CLIENT_ID" ] && [ -n "$INFISICAL_CLIENT_SECRET" ]; then
  INFISICAL_URL="${INFISICAL_URL:-https://infisical.beletage.ro}"
  INFISICAL_WORKSPACE_ID="${INFISICAL_WORKSPACE_ID:-078c998d-43a9-420c-aec4-712011108410}"
  INFISICAL_ENV="${INFISICAL_ENV:-prod}"
  INFISICAL_APP_PATH="${INFISICAL_APP_PATH:-/architools}"

  echo "[infisical] authenticating as architools-prod..."
  AUTH_RESP=$(curl -sk --fail -m 10 -X POST "$INFISICAL_URL/api/v1/auth/universal-auth/login" \
    -H "Content-Type: application/json" \
    -d "{\"clientId\":\"$INFISICAL_CLIENT_ID\",\"clientSecret\":\"$INFISICAL_CLIENT_SECRET\"}") || {
    echo "[infisical] FATAL: universal-auth login failed"; exit 2;
  }
  INFISICAL_TOKEN=$(printf '%s' "$AUTH_RESP" | jq -r '.accessToken')
  unset AUTH_RESP
  [ -n "$INFISICAL_TOKEN" ] && [ "$INFISICAL_TOKEN" != "null" ] || {
    echo "[infisical] FATAL: no accessToken in login response"; exit 2;
  }

  fetch_path() {
    curl -sk --fail -m 10 \
      "$INFISICAL_URL/api/v3/secrets/raw?workspaceId=$INFISICAL_WORKSPACE_ID&environment=$INFISICAL_ENV&secretPath=$1" \
      -H "Authorization: Bearer $INFISICAL_TOKEN"
  }

  APP_SECRETS=$(fetch_path "$INFISICAL_APP_PATH") || {
    echo "[infisical] FATAL: fetch $INFISICAL_APP_PATH failed"; exit 3;
  }
  ROOT_SECRETS=$(fetch_path "/") || {
    echo "[infisical] FATAL: fetch / failed"; exit 3;
  }

  APP_COUNT=$(printf '%s' "$APP_SECRETS" | jq '.secrets | length')
  ROOT_COUNT=$(printf '%s' "$ROOT_SECRETS" | jq '.secrets | length')
  echo "[infisical] fetched $APP_COUNT app secrets, $ROOT_COUNT root secrets"

  TMP=$(mktemp); trap "rm -f $TMP" EXIT
  printf '%s' "$APP_SECRETS" | jq -r --argjson rootMap "$(printf '%s' "$ROOT_SECRETS" | jq '.secrets | map({(.secretKey): .secretValue}) | add')" '
    .secrets[] as $s |
    ($s.secretValue
      | gsub("\\$\\{/(?<n>[A-Z0-9_]+)\\}"; ($rootMap[.n] // ("${/" + .n + "}")))
      | gsub("\\$\\{(?<n>[A-Z0-9_]+)\\}";  ($rootMap[.n] // ("${" + .n + "}")))
    ) as $resolved |
    "export " + $s.secretKey + "=" + ($resolved | @sh)
  ' > "$TMP"

  unset APP_SECRETS ROOT_SECRETS INFISICAL_TOKEN
  # shellcheck disable=SC1090
  . "$TMP"
  rm -f "$TMP"; trap - EXIT
  echo "[infisical] exported env - DATABASE_URL=${DATABASE_URL:+set} AUTHENTIK_CLIENT_ID=${AUTHENTIK_CLIENT_ID:+set} MINIO_ACCESS_KEY=${MINIO_ACCESS_KEY:+set} GIS_API_URL=${GIS_API_URL:+set}"
else
  echo "[infisical] INFISICAL_CLIENT_ID unset - skipping bootstrap (dev mode)"
fi

echo "[entrypoint] Starting app: $*"
exec "$@"