#!/usr/bin/env bash
set -euo pipefail

ROOT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")/../.." && pwd)"
TARGET_FILE="$ROOT_DIR/docker/prod/docker-compose.yml"
ANCHOR_LINE="      - ADMIN_SESSION_DIR=/usr/src/app/src/data/sessions"
EXPECTED_LINE="      - ADMIN_SESSION_COOKIE_SECURE=true"
SECRET_ANCHOR_LINE='      - NODE_ENV=production'
SECRET_EXPECTED_LINE='      - ADMIN_SESSION_SECRET=${ADMIN_SESSION_SECRET}'
SECRET_VALUE='${ADMIN_SESSION_SECRET}'

if [[ ! -f "$TARGET_FILE" ]]; then
  exit 0
fi

export TARGET_FILE
export ANCHOR_LINE
export EXPECTED_LINE
export SECRET_ANCHOR_LINE
export SECRET_EXPECTED_LINE
export SECRET_VALUE

result=$(python3 <<'PY'
import os
import pathlib
import re
import sys

path = pathlib.Path(os.environ['TARGET_FILE'])
anchor = os.environ['ANCHOR_LINE']
expected = os.environ['EXPECTED_LINE']
secret_anchor = os.environ['SECRET_ANCHOR_LINE']
secret_expected = os.environ['SECRET_EXPECTED_LINE']
secret_value = os.environ['SECRET_VALUE']

text = path.read_text()
new_text = text
changed = False

cookie_pattern = re.compile(r'(\-\s*ADMIN_SESSION_COOKIE_SECURE\s*=\s*)([^\n\r]+)')
secret_pattern = re.compile(r'(\-\s*ADMIN_SESSION_SECRET\s*=\s*)([^\n\r]+)')

def ensure_entry(text, *, pattern, value, anchor_line, expected_line, label):
  match = pattern.search(text)
  if match:
    desired = f"{match.group(1)}{value}"
    if match.group(0) == desired:
      return text, False
    return pattern.sub(lambda m: f"{m.group(1)}{value}", text, count=1), True
  if anchor_line not in text:
    print(f"ERROR: Anchor line not found for {label}", file=sys.stderr)
    sys.exit(2)
  return text.replace(anchor_line, anchor_line + '\n' + expected_line, 1), True

new_text, cookie_changed = ensure_entry(
  new_text,
  pattern=cookie_pattern,
  value='true',
  anchor_line=anchor,
  expected_line=expected,
  label='ADMIN_SESSION_COOKIE_SECURE'
)
changed = changed or cookie_changed

if expected not in new_text:
  print('ERROR: Failed to ensure ADMIN_SESSION_COOKIE_SECURE=true in docker-compose.yml', file=sys.stderr)
  sys.exit(3)

new_text, secret_changed = ensure_entry(
  new_text,
  pattern=secret_pattern,
  value=secret_value,
  anchor_line=secret_anchor,
  expected_line=secret_expected,
  label='ADMIN_SESSION_SECRET'
)
changed = changed or secret_changed

if secret_expected not in new_text:
  print('ERROR: Failed to ensure ADMIN_SESSION_SECRET uses environment variable in docker-compose.yml', file=sys.stderr)
  sys.exit(4)

if changed:
  path.write_text(new_text)
  print('UPDATED')
else:
  print('UNCHANGED')
PY
)
status=$?

if [[ $status -ne 0 ]]; then
  echo "$result"
  echo "[pre-commit] Failed to normalize ADMIN_SESSION_COOKIE_SECURE" >&2
  exit $status
fi

if [[ $result == "UPDATED" ]]; then
  echo "[pre-commit] Normalized ADMIN_SESSION_COOKIE_SECURE in docker/prod/docker-compose.yml"
  git -C "$ROOT_DIR" add "$TARGET_FILE"
fi

exit 0