#!/usr/bin/env bash
# dev-up-auth.sh — start Continuum with full Zitadel auth (AUTH_BYPASS=false).
#
# Requires src/.env to have:
#   ZITADEL_CLIENT_ID=<from Zitadel console>
#   ZITADEL_ISSUER=http://localhost:8080  (default, already in .env.example)
#
# First-time Zitadel setup (run once after initial docker compose up):
#   docker compose -f src/docker-compose.yml logs zitadel 2>&1 \
#     | grep -oE "eyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+" \
#     | head -1
#   # copy the JWE token → add to src/.env: ZITADEL_SEEDER_PAT=<token>
#   docker compose -f src/docker-compose.yml --profile seed run --rm zitadel-branding
#
# Mobile is separate — run ./mobile-up-auth.sh in another terminal.

set -euo pipefail
cd "$(dirname "$0")/src"

# Load .env so we can validate required vars before starting
if [ -f .env ]; then
  set -a; source .env; set +a
fi

export AUTH_BYPASS=false
export ENVIRONMENT=development

if [ -z "${ZITADEL_CLIENT_ID:-}" ]; then
  echo ""
  echo "  Error: ZITADEL_CLIENT_ID is not set in src/.env"
  echo "  Get it from the Zitadel console after first boot:"
  echo "    http://localhost:8080  →  Projects → continuum → Applications"
  echo ""
  exit 1
fi

echo ""
echo "  Continuum — full auth mode"
echo "  API      http://localhost:8000"
echo "  UI       http://localhost:5173"
echo "  Zitadel  http://localhost:8080"
echo "  Login    http://localhost:3000"
echo "  Auth     ON — Zitadel OIDC (issuer: ${ZITADEL_ISSUER:-http://localhost:8080})"
echo ""

exec docker compose up "$@"