#!/usr/bin/env bash

set -euo pipefail

# Security: Validate input parameters to prevent command injection
sanitized_input() {
    local input="$1"
    # Check for potentially dangerous characters/commands
    case "$input" in
        *[\;\|\&\`\$]*)
            echo "Error: Invalid input detected: $input" >&2
            exit 1
            ;;
    esac
}

# Validate dependencies
if ! command -v docker &> /dev/null; then
    echo "Error: docker is required but not installed." >&2
    exit 1
fi

if ! command -v docker compose &> /dev/null; then
    echo "Error: docker compose is required but not installed." >&2
    exit 1
fi

SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
COMPOSE_FILE="${SCRIPT_DIR}/docker-compose.yml"

# Sanitize user input
export LOCAL_UID="${USER_ID_OVERRIDE:-$(id -u)}"
sanitized_input "$LOCAL_UID"
export LOCAL_GID="${GROUP_ID_OVERRIDE:-$(id -g)}"
sanitized_input "$LOCAL_GID"
export LOCAL_USERNAME="${USERNAME_OVERRIDE:-toolbox}"
sanitized_input "$LOCAL_USERNAME"
export TOOLBOX_IMAGE="${TOOLBOX_IMAGE_OVERRIDE:-tsysdevstack-toolboxstack-toolbox-qadocker:release-current}"
sanitized_input "$TOOLBOX_IMAGE"

if [[ ! -f "${COMPOSE_FILE}" ]]; then
    echo "Error: docker-compose.yml not found at ${COMPOSE_FILE}" >&2
    exit 1
fi

ACTION="${1:-up}"
sanitized_input "$ACTION"
shift || true

if [[ "${ACTION}" == "up" ]]; then
    # Create necessary directories for the toolbox tools with proper permissions
    mkdir -p "${HOME}/.local/share/mise" "${HOME}/.cache/mise"
    mkdir -p "${HOME}/.config/aquaproj-aqua"
fi

case "${ACTION}" in
    up)
        docker compose -f "${COMPOSE_FILE}" up --build --detach "$@"
        echo "Container started. Use 'docker exec -it tsysdevstack-toolboxstack-toolbox-qadocker zsh' to access the shell."
        ;;
    down)
        docker compose -f "${COMPOSE_FILE}" down "$@"
        echo "Container stopped."
        ;;
    *)
        echo "Usage: $0 [up|down] [additional docker compose args]" >&2
        exit 1
        ;;
esac