#!/usr/bin/env bash
set -euo pipefail

SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_DIR="$(cd -- "$SCRIPT_DIR/.." && pwd)"

SECRETS_FILE="${SMOOTH_SSH_MCP_SECRETS:-$HOME/.config/smooth-ssh-mcp/secrets.env}"
CONFIG_FILE="${SMOOTH_SSH_MCP_CONFIG:-$HOME/.config/smooth-ssh-mcp/hosts.yaml}"

if [[ -f "$SECRETS_FILE" ]]; then
  if [[ ! -O "$SECRETS_FILE" ]]; then
    echo "Refusing to load secrets file not owned by current user: $SECRETS_FILE" >&2
    exit 1
  fi
  mode="$(stat -c '%a' "$SECRETS_FILE")"
  case "$mode" in
    400|600) ;;
    *)
      echo "Refusing to load secrets file with mode $mode; run: chmod 600 $SECRETS_FILE" >&2
      exit 1
      ;;
  esac
  while IFS= read -r line || [[ -n "$line" ]]; do
    line="${line%$'\r'}"
    if [[ "$line" =~ ^[[:space:]]*$ || "$line" =~ ^[[:space:]]*# ]]; then
      continue
    fi
    if [[ ! "$line" =~ ^[[:space:]]*(export[[:space:]]+)?([A-Za-z_][A-Za-z0-9_]*)=(.*)$ ]]; then
      echo "Refusing to load invalid secrets line from $SECRETS_FILE" >&2
      exit 1
    fi
    key="${BASH_REMATCH[2]}"
    value="${BASH_REMATCH[3]}"
    if [[ "$value" == \"*\" && "$value" == *\" && ${#value} -ge 2 ]]; then
      value="${value:1:${#value}-2}"
    elif [[ "$value" == \'*\' && "$value" == *\' && ${#value} -ge 2 ]]; then
      value="${value:1:${#value}-2}"
    fi
    export "$key=$value"
  done < "$SECRETS_FILE"
fi

exec node "$PROJECT_DIR/dist/server.js" --config "$CONFIG_FILE"
