#!/bin/sh
# matrix-bridge container entrypoint — the container's "environment seam".
#
# Generates ~/.ssh/config for the `mac-bridge` alias from config.toml's [mac] section, then
# execs the bot. This mirrors the Mac side, where launch-claude.sh owns environment setup and
# the bot stays dumb (AGENTS.md D4): SSH-client wiring lives here, not in bot.py. On the Spark
# HOST the bot uses modelo's existing ~/.ssh/config; in the container we recreate just the one
# alias we need, pointing at the mounted key.
set -e

SSH_DIR="$HOME/.ssh"
mkdir -p "$SSH_DIR"
chmod 700 "$SSH_DIR"

# Write ~/.ssh/config straight from config.toml [mac] (no eval; values never hit a shell).
# IdentityFile is the in-container mount target (a container constant, see docker-compose.yml).
# StrictHostKeyChecking=accept-new auto-trusts the Mac's host key on first connect — acceptable
# on the private WireGuard network (same transport-trust reasoning as D9) and avoids an
# interactive prompt that would otherwise hang the bot.
MB_SSH_KEY="${MB_SSH_KEY:-$SSH_DIR/id_ed25519}" \
SSH_CONFIG="$SSH_DIR/config" \
KNOWN_HOSTS="$SSH_DIR/known_hosts" \
python - <<'PY'
import os, tomllib
with open("/app/config.toml", "rb") as f:
    mac = tomllib.load(f)["mac"]
config = f"""Host {mac.get('ssh_alias', 'mac-bridge')}
    HostName {mac['hostname']}
    User {mac['user']}
    IdentityFile {os.environ['MB_SSH_KEY']}
    IdentitiesOnly yes
    StrictHostKeyChecking accept-new
    UserKnownHostsFile {os.environ['KNOWN_HOSTS']}
"""
with open(os.environ['SSH_CONFIG'], "w") as f:
    f.write(config)
PY
chmod 600 "$SSH_DIR/config"

exec "$@"