#!/bin/sh
# Render issue-core backends.json from environment, then start the API.
#
# The backend structure (host/owner/repo/default) is non-secret and supplied
# via the BACKENDS_TEMPLATE env (a ConfigMap), with the Gitea token injected
# from GITEA_BACKEND_TOKEN (an ExternalSecret-materialized Secret). The token
# is never baked into the image or committed to Git.
set -eu

CONFIG_DIR="${HOME}/.config/issue-tracker"
mkdir -p "${CONFIG_DIR}"

: "${BACKENDS_TEMPLATE:?BACKENDS_TEMPLATE env is required}"

# Substitute the token placeholder using python (always present in the image)
# to avoid shell-escaping issues with the secret value.
GITEA_BACKEND_TOKEN="${GITEA_BACKEND_TOKEN:-}" \
BACKENDS_TEMPLATE="${BACKENDS_TEMPLATE}" \
python - "${CONFIG_DIR}/backends.json" <<'PY'
import json, os, sys
tmpl = json.loads(os.environ["BACKENDS_TEMPLATE"])
token = os.environ.get("GITEA_BACKEND_TOKEN", "")
for cfg in tmpl.values():
    if isinstance(cfg, dict) and cfg.get("token") == "__FROM_ENV__":
        cfg["token"] = token
with open(sys.argv[1], "w") as fh:
    json.dump(tmpl, fh, indent=2)
PY

exec issue serve --host 0.0.0.0 --port 8765 --log-level "${LOG_LEVEL:-info}"