#!/bin/sh
set -eu

if [ "${VAULT_ENABLED:-auto}" = "false" ] || [ "${VAULT_ENABLED:-auto}" = "0" ]; then
  exit 0
fi

if [ -z "${VAULT_ADDR:-}" ] || [ -z "${VAULT_TOKEN:-}" ]; then
  if [ "${VAULT_ENABLED:-auto}" = "true" ] || [ "${VAULT_ENABLED:-auto}" = "1" ]; then
    echo "VAULT_ENABLED=true but VAULT_ADDR/VAULT_TOKEN are not set" >&2
    exit 1
  fi
  exit 0
fi

if ! command -v curl >/dev/null 2>&1 || ! command -v jq >/dev/null 2>&1; then
  echo "Vault bootstrap requires curl and jq." >&2
  exit 1
fi

kv_mount="${VAULT_KV_MOUNT:-secret}"

load_path() {
  path="$1"
  [ -z "$path" ] && return 0

  payload="$(curl -fsS -H "X-Vault-Token: ${VAULT_TOKEN}" "${VAULT_ADDR%/}/v1/${kv_mount}/data/${path}")"
  echo "$payload" | jq -r '.data.data // {} | to_entries[] | "\(.key)=\(.value|tostring)"' | while IFS='=' read -r k v; do
    export "$k=$v"
  done
}

load_path "${VAULT_SHARED_PATH:-}"
load_path "${VAULT_PROJECT_PATH:-}"