#!/usr/bin/env bash
set -euo pipefail

# [DEF:docker.backend.entrypoint:Module]
# @TIER: STANDARD
# @SEMANTICS: docker, entrypoint, admin-bootstrap, runtime, backend
# @PURPOSE: Container entrypoint that performs optional idempotent admin bootstrap before starting backend runtime.
# @LAYER: Infra
# @RELATION: DEPENDS_ON -> backend/src/scripts/create_admin.py
# @INVARIANT: Existing admin account must never be overwritten during container restarts.
# [/DEF:docker.backend.entrypoint:Module]

# [DEF:docker.backend.entrypoint.bootstrap_admin:Function]
# @PURPOSE: Execute optional initial admin bootstrap from runtime environment variables.
# @PRE: Python runtime and backend sources are available inside /app/backend.
# @POST: Admin is created only when INITIAL_ADMIN_CREATE=true and required credentials are present.
bootstrap_admin() {
  local create_flag="${INITIAL_ADMIN_CREATE:-false}"
  local username="${INITIAL_ADMIN_USERNAME:-}"
  local password="${INITIAL_ADMIN_PASSWORD:-}"
  local email="${INITIAL_ADMIN_EMAIL:-}"

  case "${create_flag,,}" in
    true|1|yes|y)
      ;;
    *)
      echo "[entrypoint] INITIAL_ADMIN_CREATE is disabled; skipping admin bootstrap"
      return 0
      ;;
  esac

  if [[ -z "${username}" ]]; then
    echo "[entrypoint] INITIAL_ADMIN_USERNAME is required when INITIAL_ADMIN_CREATE=true" >&2
    return 1
  fi

  if [[ -z "${password}" ]]; then
    echo "[entrypoint] INITIAL_ADMIN_PASSWORD is required when INITIAL_ADMIN_CREATE=true" >&2
    return 1
  fi

  echo "[entrypoint] initializing auth database"
  python3 src/scripts/init_auth_db.py

  echo "[entrypoint] running idempotent admin bootstrap for user '${username}'"
  if [[ -n "${email}" ]]; then
    python3 src/scripts/create_admin.py --username "${username}" --password "${password}" --email "${email}"
  else
    python3 src/scripts/create_admin.py --username "${username}" --password "${password}"
  fi
}
# [/DEF:docker.backend.entrypoint.bootstrap_admin:Function]

bootstrap_admin

echo "[entrypoint] starting backend: $*"
exec "$@"