#!/usr/bin/env bash
set -euo pipefail

repo_root="$(cd "$(dirname "$0")/.." && pwd)"
cd "$repo_root"

status=0
warnings=0
enforce_risk_docs=0

usage() {
  echo "Usage: $0 [--enforce-risk-docs]"
}

if [[ "${1:-}" == "--enforce-risk-docs" ]]; then
  enforce_risk_docs=1
  shift
fi

if [[ $# -ne 0 ]]; then
  usage
  exit 2
fi

if [[ ! -d Apps ]]; then
  echo "ERROR: Apps/ saknas"
  exit 1
fi

while IFS= read -r compose_file; do
  app_dir="$(dirname "$compose_file")"
  app_id="$(basename "$app_dir")"
  readme_file="$app_dir/README.md"

  if [[ "$app_id" == "_template" ]]; then
    continue
  fi

  if [[ ! -f "$readme_file" ]]; then
    echo "ERROR: $app_dir saknar README.md"
    status=1
  fi

  name_line="$(rg -n '^name:\s*[a-z0-9-]+\s*$' "$compose_file" || true)"
  if [[ -z "$name_line" ]]; then
    echo "ERROR: $compose_file saknar giltigt top-level 'name' (gemener + '-')"
    status=1
  fi

  if rg -n 'image:\s*[^[:space:]]+:latest\s*$' "$compose_file" >/dev/null; then
    echo "ERROR: $compose_file använder förbjuden image-tag ':latest'"
    status=1
  fi

  if ! rg -n '^x-casaos:\s*$' "$compose_file" >/dev/null; then
    echo "ERROR: $compose_file saknar top-level 'x-casaos'"
    status=1
  fi

  risk_items=()

  if rg -n '^\s*privileged:\s*true\s*$' "$compose_file" >/dev/null; then
    risk_items+=("privileged:true")
  fi
  if rg -n '^\s*network_mode:\s*host\s*$' "$compose_file" >/dev/null; then
    risk_items+=("network_mode:host")
  fi
  if rg -n '/var/run/docker.sock' "$compose_file" >/dev/null; then
    risk_items+=("docker.sock-mount")
  fi

  if [[ ${#risk_items[@]} -gt 0 ]]; then
    warnings=$((warnings + 1))
    echo "WARN: $compose_file använder högrisk-inställningar: ${risk_items[*]}"

    if [[ $enforce_risk_docs -eq 1 ]]; then
      if [[ ! -f "$readme_file" ]] || ! rg -n '^##\s+(Säkerhetsavvikelser|Security Exceptions)\s*$' "$readme_file" >/dev/null; then
        echo "ERROR: $app_dir har högrisk-inställningar men README.md saknar sektion '## Säkerhetsavvikelser' (eller '## Security Exceptions')"
        status=1
      fi
    fi
  fi
done < <(find Apps -type f -name 'docker-compose.yaml' | sort)

if [[ $status -ne 0 ]]; then
  echo "Validation FAILED"
  exit $status
fi

if [[ $warnings -gt 0 ]]; then
  echo "Validation OK with $warnings warning(s)"
  exit 0
fi

echo "Validation OK"