#!/usr/bin/env bash
# Secure .env file permissions (Quick Win). Run from project root.
# Usage: bash scripts/security/secure-env-permissions.sh [--dry-run]

set -euo pipefail

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
PROJECT_ROOT="$(cd "$SCRIPT_DIR/../.." && pwd)"
DRY_RUN=false
[[ "${1:-}" == "--dry-run" ]] && DRY_RUN=true

cd "$PROJECT_ROOT"

# Files to secure (relative to project root)
ENV_FILES=(
    ".env"
    "unifi-api/.env"
    "smom-dbis-138/.env"
    "dbis_core/.env"
)

for f in "${ENV_FILES[@]}"; do
    if [ -f "$f" ]; then
        perms=$(stat -c "%a" "$f" 2>/dev/null || stat -f "%A" "$f" 2>/dev/null)
        if [ "$perms" != "600" ]; then
            if [[ "$DRY_RUN" == true ]]; then
                echo "[DRY-RUN] would chmod 600 $f (current: $perms)"
            else
                chmod 600 "$f"
                echo "chmod 600 $f"
            fi
        fi
    fi
done
echo "Done. Ensure ownership: chown \$USER:\$USER .env (and other env files) if needed."