#!/usr/bin/env bash
set -euo pipefail

# 1. Derive the directory from DEK_PATH (e.g. /run/secrets/dev/dek.enc ⇒ /run/secrets/dev)
EDEK_DIR="$(dirname "${DEK_PATH}")"

# 2. Make sure it exists and is owned by UID 1000 (the “node” user in the official image)
mkdir -p  "${EDEK_DIR}"
chown -R 1000:1000 "${EDEK_DIR}"

# 3. Chain‑exec as the unprivileged user
exec gosu node "$@"