#!/usr/bin/env bash
# =============================================================================
#  run_onchange_35-ensure-omp-models-perms.sh.tmpl
#  Force chmod 600 on ~/.omp/agent/models.yml. The encrypted file is named
#  `private_encrypted_models.yml.age` so chezmoi SHOULD set 600 on first apply,
#  but if the file already exists from a prior apply (when it was named
#  `encrypted_models.yml.age` without the `private_` prefix), the perm stays
#  at whatever umask gave it (typically 644). This script normalizes the perm
#  to 600 so the literal zai API key in models.yml isn't world-readable.
#
#  Triggered by the body hash changing; current hash = sha256 of body.
#  Runs on all OSes (no os_family gate).
# =============================================================================
set -euo pipefail

MODELS_YML="${HOME}/.omp/agent/models.yml"

log() { printf '\033[1;34m[omp-models-perms]\033[0m %s\n' "$*"; }

if [[ ! -f "$MODELS_YML" ]]; then
    log "models.yml not present on this box (omp not installed?) — skipping"
    exit 0
fi

current_perm=$(stat -c '%a' "$MODELS_YML")
if [[ "$current_perm" == "600" ]]; then
    log "models.yml already 600 — nothing to do"
    exit 0
fi

log "models.yml perm is $current_perm, fixing to 600"
chmod 600 "$MODELS_YML"
log "models.yml perm now $(stat -c '%a' "$MODELS_YML")"