#!/command/with-contenv sh
# shellcheck shell=sh
# Dashboard service. Always declared so s6 has a supervised slot; if
# HERMES_DASHBOARD isn't truthy the run script exits cleanly and the
# companion finish script returns 125 (s6's "permanent failure, do
# not restart" marker), so s6-svstat reports the slot as down. See
# also docker/s6-rc.d/dashboard/finish.

case "${HERMES_DASHBOARD:-}" in
    1|true|TRUE|True|yes|YES|Yes) ;;
    *)
        # Exit 0; the finish script will exit 125 → s6-supervise won't
        # restart us and the slot reports down. Using a clean exit
        # (rather than `exec sleep infinity`) means s6-svstat reflects
        # reality: when HERMES_DASHBOARD is unset, the service is NOT
        # running, just supervised-with-permanent-failure. See PR
        # #30136 review item I3.
        exit 0
        ;;
esac

# with-contenv repopulates HOME from /init as /root. Reset it before
# dropping privileges so HOME-anchored state lands under /opt/data.
export HOME=/opt/data

cd /opt/data
# shellcheck disable=SC1091
. /opt/hermes/.venv/bin/activate

dash_host="${HERMES_DASHBOARD_HOST:-0.0.0.0}"
dash_port="${HERMES_DASHBOARD_PORT:-9119}"

# The dashboard's auth gate engages automatically on non-loopback binds and
# REQUIRES a DashboardAuthProvider to be registered, else start_server fails
# closed. Two zero-infra ways to satisfy it in a container:
#   • Password: set HERMES_DASHBOARD_BASIC_AUTH_USERNAME + _PASSWORD (bundled
#     dashboard_auth/basic provider — no external IDP).
#   • OAuth:    set HERMES_DASHBOARD_OAUTH_CLIENT_ID (bundled nous provider).
#
# HERMES_DASHBOARD_INSECURE no longer disables the gate (June 2026 hardening:
# unauthenticated public dashboards were the entry point for the MCP-config
# persistence campaign). It is accepted but ignored; warn if set so operators
# migrate to a real provider.
case "${HERMES_DASHBOARD_INSECURE:-}" in
    1|true|TRUE|True|yes|YES|Yes)
        echo "[dashboard] HERMES_DASHBOARD_INSECURE no longer disables the auth gate." >&2
        echo "[dashboard] A non-loopback dashboard requires an auth provider:" >&2
        echo "[dashboard]   set HERMES_DASHBOARD_BASIC_AUTH_USERNAME + _PASSWORD (password)" >&2
        echo "[dashboard]   or HERMES_DASHBOARD_OAUTH_CLIENT_ID (OAuth)." >&2
        ;;
esac

# Skip the drop when already non-root.
[ "$(id -u)" = 0 ] || exec hermes dashboard --host "$dash_host" --port "$dash_port" --no-open
exec s6-setuidgid hermes hermes dashboard \
    --host "$dash_host" --port "$dash_port" --no-open
