#!/usr/bin/env bash
# =============================================================================
#  run_onchange_35-ensure-omp-secret-perms.sh.tmpl
#  Force chmod 600 on every omp secret under ~/.omp/agent/. The encrypted
#  sources are all named with the `private_` prefix (private_encrypted_*.age)
#  so chezmoi SHOULD set 600 on first apply, but if a file already exists
#  from a prior apply (before it gained the `private_` prefix), its mode
#  stays at whatever umask gave it (typically 644 — world-readable).
#  This script normalizes the mode so live API keys are never world-readable,
#  regardless of the enclosing directory's perms.
#
#  Re-triggered automatically whenever this script body changes (chezmoi
#  hashes the body). Runs on all OSes (no os_family gate).
#
#  Covered files:
#    zai.key      — Z.ai API key (literal, 1 line)
#    .env         — provider API keys (ANTHROPIC/OPENAI/... when populated)
#    models.yml   — literal zai-coding provider key in apiKey:
# =============================================================================
set -euo pipefail

SECRETS_DIR="${HOME}/.omp/agent"
declare -a SECRET_FILES=("zai.key" ".env" "models.yml")

log() { printf '\033[1;34m[omp-secret-perms]\033[0m %s\n' "$*"; }

if [[ ! -d "$SECRETS_DIR" ]]; then
    log "~/.omp/agent not present on this box (omp not installed?) — skipping"
    exit 0
fi

fixed=0
for f in "${SECRET_FILES[@]}"; do
    path="${SECRETS_DIR}/${f}"
    if [[ ! -f "$path" ]]; then
        log "${f}: not present — skipping"
        continue
    fi
    current_perm=$(stat -c '%a' "$path")
    if [[ "$current_perm" == "600" ]]; then
        log "${f}: already 600 — nothing to do"
        continue
    fi
    log "${f}: perm is ${current_perm}, fixing to 600"
    chmod 600 "$path"
    log "${f}: perm now $(stat -c '%a' "$path")"
    fixed=$((fixed + 1))
done

log "done (${fixed} file(s) changed)"