#!/bin/bash
set -e

# Ensure /app/data is the only writable location for dexorder user
# All other directories should be read-only (enforced by k8s readOnlyRootFilesystem)

# Fix permissions on mounted volume (k8s may mount with different ownership)
if [ -d /app/data ]; then
    # Check if we can write to /app/data - if not, something is wrong
    if [ ! -w /app/data ]; then
        echo "ERROR: /app/data is not writable by dexorder user"
        exit 1
    fi
else
    echo "ERROR: /app/data does not exist"
    exit 1
fi

# Ensure /app/config and /app/secrets are read-only (should already be via k8s mount)
for dir in /app/config /app/secrets; do
    if [ -d "$dir" ] && [ -w "$dir" ]; then
        echo "WARNING: $dir is writable but should be read-only"
    fi
done

# Execute the main application
exec /opt/conda/envs/dexorder/bin/python /app/main.py "$@"