#!/usr/bin/env bash
# 在 moicen 本机执行（由 CI 通过 ssh … bash -s 注入）。只读：PG 探活、redis ping、日志 tail。
set -euo pipefail

echo "=== moicen readonly verify $(date -u +%Y-%m-%dT%H:%M:%SZ) ==="

sanitize_output() {
  sed -E \
    -e 's/(Bearer )[A-Za-z0-9._-]+/\1<redacted>/g' \
    -e 's/((token|password|passwd|secret)[=: ]+)[^[:space:]]+/\1<redacted>/Ig' \
    -e 's/[0-9]{1,3}(\.[0-9]{1,3}){3}/<redacted-ip>/g'
}

HTYPROC_ENV="${HOME}/works/huike-back/htyproc/.env"
if [[ ! -r "$HTYPROC_ENV" ]]; then
  echo "ERROR: cannot read ${HTYPROC_ENV}"
  exit 1
fi

set -a
# shellcheck disable=SC1090
source "$HTYPROC_ENV"
set +a

if [[ -z "${TS_DATABASE_URL:-}" ]]; then
  echo "ERROR: TS_DATABASE_URL unset after sourcing ${HTYPROC_ENV}"
  exit 1
fi

echo "--- PostgreSQL (TS_DATABASE_URL) ---"
psql "$TS_DATABASE_URL" -v ON_ERROR_STOP=1 -c "SELECT 1 AS connectivity_ok;"

echo "--- Redis ---"
redis-cli ping

echo "--- htyproc log (tail, last 50 lines) ---"
tail -n 50 "${HOME}/works/huike-back/htyproc/htyproc.nohup.log" 2>/dev/null | sanitize_output || echo "(no htyproc log)"

echo "--- OpenResty error.log (tail, last 30 lines) ---"
tail -n 30 /usr/local/openresty/nginx/logs/error.log 2>/dev/null | sanitize_output || echo "(no nginx error log)"

echo "=== moicen readonly verify OK ==="