#!/usr/bin/env bash
set -euo pipefail

BASE="${BASE:-https://dev1.aptivaai.com}"
GOOD_ORIGIN="${GOOD_ORIGIN:-https://dev1.aptivaai.com}"
BAD_ORIGIN="${BAD_ORIGIN:-https://evil.example.com}"

pass(){ echo "✅ $*"; }
fail(){ echo "❌ $*"; exit 1; }

# --- Health checks (server1/2/3) ---
for p in /livez /readyz /healthz; do
  curl -fsS "$BASE$ p" >/dev/null || fail "server2 $p"
done
pass "server2 health endpoints up"

# try server1 + server3 via Nginx locations if you expose them (adjust paths if prefixed)
for SVC in server1 server3; do
  curl -fsS "$BASE/$SVC/healthz" >/dev/null && pass "$SVC healthz OK" || echo "ℹ️  $SVC /healthz not routed publicly (ok if intentional)"
done

# --- CORS: allowed origin (expect 200 for a safe GET) ---
code=$(curl -s -o /dev/null -w '%{http_code}' -H "Origin: $GOOD_ORIGIN" "$BASE/api/data/career-clusters")
[[ "$code" == "200" ]] || fail "CORS allowed origin should be 200, got $code"
pass "CORS allowed origin OK"

# --- CORS: bad origin (expect 403) ---
code=$(curl -s -o /dev/null -w '%{http_code}' -H "Origin: $BAD_ORIGIN" "$BASE/api/data/career-clusters")
[[ "$code" == "403" ]] || fail "CORS bad origin should be 403, got $code"
pass "CORS bad origin blocked"

# --- Public data flows (server2) ---
curl -fsS "$BASE/api/projections/15-1252?state=GA" | jq . > /dev/null || fail "projections"
curl -fsS "$BASE/api/salary?socCode=15-1252&area=Atlanta-Sandy Springs-Roswell, GA" | jq . > /dev/null || fail "salary"
curl -fsS "$BASE/api/tuition?cipCodes=1101,1103&state=GA" | jq . > /dev/null || fail "tuition"
pass "public data endpoints OK"

echo "✓ SMOKE PASSED"