#!/bin/sh
# ─────────────────────────────────────────────────────────────────────────────
# FLUX container entrypoint.
#
# Runs as root briefly so we can:
#   1. Make sure every mounted upload dir AND every file inside is owned by
#      uid 1001 / gid 1001 (nextjs:nodejs). Without this, files written
#      previously when nextjs had nogroup (gid 65533) stay 1001:65533 and
#      sysadmins on the host see a wrong group.
#   2. Apply pending Prisma migrations idempotently.
#   3. Hand off to the Next.js server, dropping privileges to nextjs.
# ─────────────────────────────────────────────────────────────────────────────

set -e

# Recursively normalise ownership on every mounted public/* folder. Recursive
# is fine because (a) Prisma and Next.js never read /app/public except from
# fs APIs that don't care about ownership, and (b) the chown is fast on local
# disk even with thousands of files — runs once per container start.
for dir in \
  /app/public/branding \
  /app/public/footage \
  /app/public/applications \
  /app/public/cases \
  /app/public/news \
  /app/public/parts \
  /app/public/operations-inbox \
  /app/public/heritage; do
  if [ -d "$dir" ]; then
    chown -R 1001:1001 "$dir" 2>/dev/null || true
  fi
done

# Run pending migrations (idempotent).
su-exec nextjs node ./node_modules/prisma/build/index.js migrate deploy

# Boot the Next.js server as the unprivileged user.
exec su-exec nextjs node server.js