FROM oven/bun:1-slim

ARG DEBIAN_FRONTEND=noninteractive
RUN apt-get update && apt-get install -y --no-install-recommends \
  git ca-certificates curl sqlite3 rsync python3 \
  && rm -rf /var/lib/apt/lists/*

WORKDIR /app

ARG LUMIVERSE_REPO=https://github.com/prolix-oc/Lumiverse.git
ARG LUMIVERSE_REF=staging
RUN git clone --depth 1 --branch "${LUMIVERSE_REF}" "${LUMIVERSE_REPO}" .

RUN cat > /tmp/patch-auth-rewrite.mjs <<'PATCH'
import { readFileSync, writeFileSync } from "fs";

const path = "src/app.ts";
const src = readFileSync(path, "utf8");

const before = `app.on(["POST", "GET"], "/api/auth/*", (c) => {
  const host = c.req.header("host");
  if (host) {
    const url = new URL(c.req.url);
    const rewritten = new URL(url.pathname + url.search, \`http://\${host}\`);
    return auth.handler(new Request(rewritten.toString(), c.req.raw));
  }
  return auth.handler(c.req.raw);
});`;

const after = `app.on(["POST", "GET"], "/api/auth/*", (c) => {
  const host = c.req.header("x-forwarded-host") || c.req.header("host");
  const proto = c.req.header("x-forwarded-proto") || "http";

  if (host) {
    const url = new URL(c.req.url);
    const rewritten = new URL(url.pathname + url.search, \`\${proto}://\${host}\`);
    return auth.handler(new Request(rewritten.toString(), c.req.raw));
  }
  return auth.handler(c.req.raw);
});`;

if (!src.includes(before)) {
  console.error("[patch] Expected auth rewrite block not found in src/app.ts");
  process.exit(1);
}

writeFileSync(path, src.replace(before, after), "utf8");
console.log("[patch] Patched src/app.ts for x-forwarded-proto/host");
PATCH

RUN bun /tmp/patch-auth-rewrite.mjs \
  && grep -n "x-forwarded-proto" src/app.ts >/dev/null

RUN rm -f package-lock.json && bun install --production

WORKDIR /app/frontend
RUN rm -f package-lock.json && bun install && bun run build
RUN printf "self.addEventListener('install',e=>self.skipWaiting());self.addEventListener('activate',e=>e.waitUntil(self.clients.claim()));\n" > /app/frontend/dist/sw.js
RUN test -f /app/frontend/dist/index.html

WORKDIR /app
ENV NODE_ENV=production
ENV PORT=7860
ENV DATA_DIR=/app/data
ENV FRONTEND_DIR=/app/frontend/dist
ENV TRUST_ANY_ORIGIN=true
ENV OWNER_PASSWORD="admin123admin"

RUN cat > /app/start.sh <<'SH'
#!/usr/bin/env sh
set -eu

export DATA_DIR="${DATA_DIR:-/app/data}"

# Run with the runner script so IPC is available for the operator page
exec bun run scripts/runner.ts
SH

RUN chmod +x /app/start.sh

USER root
RUN mkdir -p /app/data && chown -R bun:bun /app/data

EXPOSE 7860
VOLUME /app/data

USER bun
CMD ["/app/start.sh"]