#!/usr/bin/env bash
set -euo pipefail

repo_root="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"

root_config="$(
  docker compose --env-file "$repo_root/.env" -f "$repo_root/compose.ory.yaml" config
)"
docker_config="$(
  docker compose --env-file "$repo_root/.env" -f "$repo_root/docker/compose.ory.yaml" config
)"

for service in kratos hydra keto oathkeeper; do
  version_key="$(tr '[:lower:]' '[:upper:]' <<<"$service")_VERSION"
  expected_version="$(grep -E "^${version_key}=" "$repo_root/.env" | cut -d= -f2-)"
  if [[ -z "$expected_version" ]]; then
    echo "ERROR: $version_key must be set in .env" >&2
    exit 1
  fi
  if ! grep -q "image: oryd/${service}:${expected_version}" <<<"$root_config"; then
    echo "ERROR: compose.ory.yaml must render oryd/${service}:${expected_version}" >&2
    exit 1
  fi
done

if grep -q "oryd/hydra:v25.4.0" <<<"$root_config"; then
  echo "ERROR: compose.ory.yaml must not hard-code init-rp to hydra v25.4.0." >&2
  exit 1
fi

root_init_rp="$(
  awk 'in_block && /^    [A-Za-z0-9_-]+:/ { exit } /^    init-rp:/ { in_block=1 } in_block { print }' "$repo_root/compose.ory.yaml"
)"
docker_init_rp="$(
  awk 'in_block && /^    [A-Za-z0-9_-]+:/ { exit } /^    init-rp:/ { in_block=1 } in_block { print }' "$repo_root/docker/compose.ory.yaml"
)"
if grep -q "image: oryd/hydra" <<<"$root_init_rp$docker_init_rp"; then
  echo "ERROR: init-rp must not use the Hydra service image because distroless tags do not provide /bin/sh." >&2
  exit 1
fi

if ! grep -q "migrate sql up" "$repo_root/compose.ory.yaml"; then
  echo "ERROR: compose.ory.yaml Kratos migration must use migrate sql up." >&2
  exit 1
fi

if ! grep -q "keto-migrate:" <<<"$docker_config"; then
  echo "ERROR: docker/compose.ory.yaml must include keto-migrate for clean Ory installs." >&2
  exit 1
fi

if grep -q "releases/download/v25.4.0" "$repo_root/docker/staging_pull_compose.template.yaml"; then
  echo "ERROR: staging pull compose must not download a hard-coded Hydra v25.4.0 CLI." >&2
  exit 1
fi