#!/usr/bin/env bash
set -euo pipefail

echo "[proxy-profile] validating reverse-proxy and mixed-content guardrails"

require_pattern() {
  local file="$1"
  local pattern="$2"
  local message="$3"
  if ! grep -Eq "$pattern" "$file"; then
    echo "[proxy-profile] FAIL: $message ($file)"
    exit 1
  fi
}

# Frontend should default to relative API base in container builds.
require_pattern "frontend/Dockerfile" "ARG VITE_API_URL=/api/v1" \
  "VITE_API_URL default must be relative (/api/v1)"

# Frontend runtime proxy should forward /api with forward headers.
require_pattern "frontend/nginx.conf" "location /api/" \
  "frontend nginx must proxy /api/"
require_pattern "frontend/nginx.conf" "proxy_set_header X-Forwarded-Proto" \
  "frontend nginx must set X-Forwarded-Proto"
require_pattern "frontend/nginx.conf" "proxy_set_header X-Forwarded-For" \
  "frontend nginx must set X-Forwarded-For"
require_pattern "frontend/nginx.conf" "proxy_set_header Host" \
  "frontend nginx must forward Host"

# Mixed-content guard in frontend API client.
require_pattern "frontend/src/api.js" "window\\.location\\.protocol === \"https:\".*parsed\\.protocol === \"http:\"" \
  "frontend api client must contain HTTPS mixed-content protection"

# Production profile must not use wildcard CORS.
require_pattern "ops/profiles/prod/.env.production.example" "^CORS_ORIGINS=https://[^*]+$" \
  "production profile must use explicit HTTPS CORS origins"

echo "[proxy-profile] PASS"