#!/usr/bin/env bash
# Single source of truth for the MC forge git remote used to clone this repo onto
# cloud build/worker boxes. SOURCE it (it `return`s); it exports MC_FORGE_GIT_REMOTE.
#
# Uses the stable HOSTNAME (forge.mc.uvlava.com), never a hardcoded IP — the forge
# is no longer its own droplet, it rides a shared services box and can be moved
# between hosts; the DNS name is the contract, an IP is not. (Old dead endpoint
# was 159.203.170.249:3000/mcadmin — gone.)
#
# Auth = the services forge token (read-only clone is all a worker needs). The
# token is injected into the URL in-process only; callers pass MC_FORGE_GIT_REMOTE
# via PKR_VAR_*/TF_VAR_* ENV (never on argv), per cloud-dx-do.md's creds rule.
#
# Overridable for testing: MC_FORGE_HOST, MC_FORGE_ORG, MC_FORGE_TOKEN_FILE.

: "${MC_FORGE_HOST:=forge.mc.uvlava.com}"
: "${MC_FORGE_ORG:=applications}"
: "${MC_FORGE_TOKEN_FILE:=$HOME/.vault/services-forge-token}"

if [ ! -r "$MC_FORGE_TOKEN_FILE" ]; then
  echo "forge-remote: no forge token at $MC_FORGE_TOKEN_FILE" >&2
  return 1 2>/dev/null || exit 1
fi

_mc_forge_token="$(cat "$MC_FORGE_TOKEN_FILE")"
if [ -z "$_mc_forge_token" ]; then
  echo "forge-remote: forge token file is empty: $MC_FORGE_TOKEN_FILE" >&2
  unset _mc_forge_token
  return 1 2>/dev/null || exit 1
fi

# Gitea accepts the token as the basic-auth password with user "oauth2".
export MC_FORGE_GIT_REMOTE="https://oauth2:${_mc_forge_token}@${MC_FORGE_HOST}/${MC_FORGE_ORG}/magicciv.git"
unset _mc_forge_token