#!/bin/bash
# ══════════════════════════════════════════════════════════════
# Mii entrypoint wrapper — runs AS ROOT.
#
# Base image (hermes-agent) migrated from tini → s6-overlay.
# We keep tini as PID 1 (simpler on HF Spaces) and skip the
# deprecated /opt/hermes/docker/entrypoint.sh. start.sh handles
# all Hermes setup; hermes exec-shim auto-drops to hermes user.
# ══════════════════════════════════════════════════════════════
set -e

# ── 1. AdGuard DNS ──
if ! grep -q '94.140.14.14' /etc/resolv.conf 2>/dev/null; then
  printf 'nameserver 94.140.14.14\nnameserver 94.140.15.15\n' > /etc/resolv.conf 2>/dev/null || true
fi

# ── 2. PATH: add s6-overlay /command + hermes binaries ──
export PATH="/command:/opt/hermes/bin:/opt/hermes/.venv/bin:/opt/data/.local/bin:${PATH}"
export HF_HUB_DISABLE_TELEMETRY=1

# ── 3. Ensure HERMES_HOME exists and hermes user can write ──
HERMES_HOME="${HERMES_HOME:-/opt/data}"
mkdir -p "$HERMES_HOME"
chown hermes:hermes "$HERMES_HOME" 2>/dev/null || true

# ── 4. Exec CMD (start.sh runs as root; hermes shim handles priv-drop) ──
exec "$@"