.env

# This file is committed to git no secrets.
# Vault environment loader wrapper
# Usage: source .env.vault (never run directly)

set -o pipefail

if [[ "${BASH_SOURCE[0]}" == "${0}" ]]; then
    echo "This script must be sourced: source .env.vault" >&2
    exit 1
fi

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
HELPER_PATH="${VAULT_HELPER_PATH:-${SCRIPT_DIR}/scripts/vault-helper.sh}"

if [[ ! -r "$HELPER_PATH" ]]; then
    echo "Vault helper not found at $HELPER_PATH" >&2
    return 1
fi

# shellcheck source=./scripts/vault-helper.sh
source "$HELPER_PATH"

DEFAULT_VAULT_SECRET_DEFS=$'kv/Sonarqube/sonarqube|SONAR_TOKEN=SONAR_TOKEN SONAR_TOKEN=sonar_token SONAR_TOKEN=token\nkv/dependencytrack|DTRACK_API_KEY=DTRACK_API_KEY DTRACK_API_KEY=api_key DTRACK_API_KEY=token'
DEFAULT_VAULT_REQUIRED_VARS="SONAR_TOKEN DTRACK_API_KEY"

if [[ -z "${VAULT_TOKEN:-}" ]]; then
    token_candidates=()
    if [[ -n "${VAULT_TOKEN_FILE:-}" ]]; then
        token_candidates+=("$VAULT_TOKEN_FILE")
    fi
    token_candidates+=("${HOME}/.vault-token" "/home/vscode/.vault-token" "/root/.vault-token")
    for token_path in "${token_candidates[@]}"; do
        if [[ -r "$token_path" ]]; then
            VAULT_TOKEN_FILE="$token_path"
            export VAULT_TOKEN_FILE
            break
        fi
    done
fi

SECRET_DEFS="${VAULT_SECRET_PATHS:-$DEFAULT_VAULT_SECRET_DEFS}"
REQUIRED_VARS="${VAULT_REQUIRED_VARS:-$DEFAULT_VAULT_REQUIRED_VARS}"

vault_helper::load_from_definitions "$SECRET_DEFS" "$REQUIRED_VARS" "$VAULT_TOKEN_FILE"
vault_status=$?
if [[ $vault_status -ne 0 ]]; then
    echo "Error: vault_helper::load_from_definitions failed with exit code $vault_status" >&2
    return "$vault_status"
fi

# Commented out for CI/automated testing
# SONAR_TOKEN=""
DTR_PROJECT_KEY=
# DTRACK_API_KEY=""
DTRACK_PROJECT=sonarqube-mcp
DTRACK_PROJECT_VERSION=main