#!/bin/bash
# =============================================================================
# Environment Variables Validation Script (TASK-QA-009)
# =============================================================================
# Validates required environment variables for Veza development.
# See docs/ENV_VARIABLES.md for full reference.
#
# Usage:
#   ./scripts/validate-env.sh [environment]
#   environment: development (default), production, test
#
# Can be run before make dev or integrated in make doctor.
# =============================================================================

set -e

ENVIRONMENT=${1:-development}
ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
cd "$ROOT"

RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'

check_var() {
    local var_name=$1
    local required=$2
    local value="${!var_name}"

    if [ -z "$value" ]; then
        if [ "$required" = "required" ]; then
            echo -e "  ${RED}✗ ${var_name} (required, not set)${NC}"
            return 1
        else
            echo -e "  ${YELLOW}○ ${var_name} (optional, not set)${NC}"
            return 0
        fi
    else
        echo -e "  ${GREEN}✓ ${var_name}${NC}"
        return 0
    fi
}

echo ""
echo "🔍 Environment validation (${ENVIRONMENT})"
echo "   Ref: docs/ENV_VARIABLES.md"
echo ""

ERRORS=0

# Load .env if present (optional)
if [ -f .env ]; then
    set -a
    source .env
    set +a
fi

echo "Required variables:"
check_var "DATABASE_URL" "required" || ERRORS=$((ERRORS + 1))
check_var "REDIS_URL" "required" || ERRORS=$((ERRORS + 1))

# JWT: either RS256 keys OR JWT_SECRET (dev fallback)
JWT_PRIVATE=$(printenv JWT_PRIVATE_KEY_PATH 2>/dev/null || true)
JWT_PUBLIC=$(printenv JWT_PUBLIC_KEY_PATH 2>/dev/null || true)
JWT_SECRET=$(printenv JWT_SECRET 2>/dev/null || true)
if [ -n "$JWT_PRIVATE" ] && [ -n "$JWT_PUBLIC" ]; then
    echo -e "  ${GREEN}✓ JWT (RS256: keys configured)${NC}"
elif [ -n "$JWT_SECRET" ] && [ ${#JWT_SECRET} -ge 32 ]; then
    echo -e "  ${GREEN}✓ JWT (HS256 fallback, min 32 chars)${NC}"
else
    echo -e "  ${RED}✗ JWT_PRIVATE_KEY_PATH + JWT_PUBLIC_KEY_PATH, or JWT_SECRET (min 32 chars)${NC}"
    ERRORS=$((ERRORS + 1))
fi

echo ""
echo "Optional (development):"
check_var "CORS_ALLOWED_ORIGINS" "optional"
check_var "FRONTEND_URL" "optional"

if [ "$ENVIRONMENT" = "production" ]; then
    echo ""
    echo "Production-specific:"
    check_var "CORS_ALLOWED_ORIGINS" "required" || ERRORS=$((ERRORS + 1))
fi

echo ""
if [ $ERRORS -eq 0 ]; then
    echo -e "${GREEN}✓ Validation passed.${NC}"
    exit 0
else
    echo -e "${RED}✗ Validation failed ($ERRORS error(s)).${NC}"
    echo "  See docs/ENV_VARIABLES.md and .env.example"
    exit 1
fi