#!/usr/bin/env bash
set -euo pipefail

# ─────────────────────────────────────────────────────────────
# CONFIG – adjust only the 4 lines below if you change projects
# ─────────────────────────────────────────────────────────────
ENV=dev                       # secret suffix, e.g.  JWT_SECRET_staging
PROJECT=aptivaai-dev
ROOT=/home/jcoakley/aptiva-dev1-app
REG=us-central1-docker.pkg.dev/${PROJECT}/aptiva-repo

ENV_FILE="${ROOT}/.env"           # ← holds NON‑sensitive values only
SECRETS=(
  JWT_SECRET OPENAI_API_KEY ONET_USERNAME ONET_PASSWORD
  STRIPE_SECRET_KEY STRIPE_PUBLISHABLE_KEY STRIPE_WH_SECRET STRIPE_PRICE_PREMIUM_MONTH STRIPE_PRICE_PREMIUM_YEAR STRIPE_PRICE_PRO_MONTH STRIPE_PRICE_PRO_YEAR
  DB_HOST DB_PORT DB_USER DB_PASSWORD
  TWILIO_ACCOUNT_SID TWILIO_AUTH_TOKEN TWILIO_MESSAGING_SERVICE_SID
)

cd "$ROOT"
echo "🛠  Building front‑end bundle"
npm ci --silent        # installs if node_modules is missing/old
npm run build

# ─────────────────────────────────────────────────────────────
# 1. Build  ➔  Push  ➔  Bump IMG_TAG in .env
# ─────────────────────────────────────────────────────────────
TAG=$(date -u +%Y%m%d%H%M)
echo "🔨  Building & pushing containers  (tag = ${TAG})"

for svc in server1 server2 server3; do
  docker build -f Dockerfile."$svc" -t "${REG}/${svc}:${TAG}" .
  docker push  "${REG}/${svc}:${TAG}"
done

# keep .env for static, non‑sensitive keys (ports, API_BASE…)
if grep -q '^IMG_TAG=' "$ENV_FILE"; then
  sed -i "s/^IMG_TAG=.*/IMG_TAG=${TAG}/" "$ENV_FILE"
else
  echo "IMG_TAG=${TAG}" >> "$ENV_FILE"
fi
echo "✅  .env updated with IMG_TAG=${TAG}"

# ─────────────────────────────────────────────────────────────
# 1a. Publish IMG_TAG to GCP Secret Manager (canonical source)
# ─────────────────────────────────────────────────────────────
echo "${TAG}" | gcloud secrets versions add IMG_TAG_DEV1 \
  --data-file=- \
  --project="$PROJECT"

echo "📦  IMG_TAG pushed to Secret Manager as IMG_TAG_DEV1"

# ─────────────────────────────────────────────────────────────
# 2. Export secrets straight from Secret Manager
#    (they live only in this shell, never on disk)
# ─────────────────────────────────────────────────────────────
echo "🔐  Pulling ${ENV} secrets from Secret Manager"
for S in "${SECRETS[@]}"; do
  export "$S"="$(gcloud secrets versions access latest \
                   --secret="${S}_${ENV}" \
                   --project="$PROJECT")"
done

# A flag so we can see in the container env where they came from
export FROM_SECRETS_MANAGER=true

# ─────────────────────────────────────────────────────────────
# 3. Re‑create the stack
# ─────────────────────────────────────────────────────────────
# Preserve only the variables docker‑compose needs for expansion
preserve=IMG_TAG,FROM_SECRETS_MANAGER,REACT_APP_API_URL,$(IFS=,; echo "${SECRETS[*]}")

echo "🚀  docker compose up -d (with preserved env: $preserve)"
sudo --preserve-env="$preserve" docker compose up -d --force-recreate 2> >(grep -v 'WARN

\[0000\]

')

echo "✅  Deployment finished"