/**
 * Load secrets from Infisical using Machine Identity (Universal Auth)
 * Writes secrets to .env.infisical file for sourcing
 */
import { InfisicalSDK } from "@infisical/sdk";
import { writeFileSync } from "fs";

const INFISICAL_API_URL = process.env.INFISICAL_API_URL;
const INFISICAL_CLIENT_ID = process.env.INFISICAL_CLIENT_ID;
const INFISICAL_CLIENT_SECRET = process.env.INFISICAL_CLIENT_SECRET;
const INFISICAL_PROJECT_ID = process.env.INFISICAL_PROJECT_ID;
const INFISICAL_ENV = process.env.INFISICAL_ENV || "prod";

if (!INFISICAL_API_URL || !INFISICAL_CLIENT_ID || !INFISICAL_CLIENT_SECRET || !INFISICAL_PROJECT_ID) {
  process.stderr.write("Missing required Infisical environment variables\n");
  process.exit(1);
}

const client = new InfisicalSDK({ siteUrl: INFISICAL_API_URL });

await client.auth().universalAuth.login({
  clientId: INFISICAL_CLIENT_ID,
  clientSecret: INFISICAL_CLIENT_SECRET,
});

process.stderr.write(`Loading secrets from Infisical (env: ${INFISICAL_ENV})...\n`);

const envLines = [];

for (const secretPath of ["/webapp", "/shared"]) {
  const response = await client.secrets().listSecrets({
    projectId: INFISICAL_PROJECT_ID,
    environment: INFISICAL_ENV,
    secretPath: secretPath,
    expandSecretReferences: true,
  });

  for (const secret of response.secrets) {
    // Escape special characters for shell
    const escapedValue = secret.secretValue.replace(/'/g, "'\\''");
    envLines.push(`export ${secret.secretKey}='${escapedValue}'`);
  }

  process.stderr.write(`  ${secretPath}: ${response.secrets.length} secrets loaded\n`);
}

writeFileSync(".env.infisical", envLines.join("\n"));
process.stderr.write("Secrets written to .env.infisical\n");