#!/usr/bin/env bash
# Build hardened images for the core services using the shared template/matrix (DOCKER-44-001)
set -euo pipefail

ROOT=${ROOT:-"$(git rev-parse --show-toplevel)"}
MATRIX=${MATRIX:-"${ROOT}/ops/devops/docker/services-matrix.env"}
REGISTRY=${REGISTRY:-"stellaops"}
TAG_SUFFIX=${TAG_SUFFIX:-"dev"}
SDK_IMAGE=${SDK_IMAGE:-"mcr.microsoft.com/dotnet/sdk:10.0-bookworm-slim"}
RUNTIME_IMAGE=${RUNTIME_IMAGE:-"mcr.microsoft.com/dotnet/aspnet:10.0-bookworm-slim"}

if [[ ! -f "${MATRIX}" ]]; then
  echo "matrix file not found: ${MATRIX}" >&2
  exit 1
fi

echo "Building services from ${MATRIX} -> ${REGISTRY}/<service>:${TAG_SUFFIX}" >&2

while IFS='|' read -r service dockerfile project binary port; do
  [[ -z "${service}" || "${service}" =~ ^# ]] && continue
  image="${REGISTRY}/${service}:${TAG_SUFFIX}"
  df_path="${ROOT}/${dockerfile}"
  if [[ ! -f "${df_path}" ]]; then
    echo "skipping ${service}: dockerfile missing (${df_path})" >&2
    continue
  fi

  if [[ "${dockerfile}" == *"Dockerfile.console"* ]]; then
    # Angular console build uses its dedicated Dockerfile
    echo "[console] ${service} -> ${image}" >&2
    docker build \
      -f "${df_path}" "${ROOT}" \
      --build-arg APP_DIR="${project}" \
      --build-arg APP_PORT="${port}" \
      -t "${image}"
  else
    echo "[service] ${service} -> ${image}" >&2
    docker build \
      -f "${df_path}" "${ROOT}" \
      --build-arg SDK_IMAGE="${SDK_IMAGE}" \
      --build-arg RUNTIME_IMAGE="${RUNTIME_IMAGE}" \
      --build-arg APP_PROJECT="${project}" \
      --build-arg APP_BINARY="${binary}" \
      --build-arg APP_PORT="${port}" \
      -t "${image}"
  fi

done < "${MATRIX}"

echo "Build complete. Remember to enforce readOnlyRootFilesystem at deploy time and run sbom_attest.sh (DOCKER-44-002)." >&2